summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore4
-rw-r--r--.gitlab-ci.yml2
-rw-r--r--.gitmodules3
-rw-r--r--bootstrap.conf4
m---------devel/cligen0
-rw-r--r--doc/Makefile.am84
-rw-r--r--doc/manpages/Makefile.am89
-rw-r--r--doc/scripts/Makefile.am2
-rw-r--r--doc/scripts/gen-cmd-man.py348
-rw-r--r--doc/scripts/gen-cmd-texi.py267
-rw-r--r--python/Makefile.am2
-rw-r--r--python/jsonopts.py257
-rw-r--r--src/Makefile.am24
-rw-r--r--src/certtool-options.json1101
-rw-r--r--src/danetool-options.json338
-rw-r--r--src/gen-getopt.py674
-rw-r--r--src/gnutls-cli-debug-options.json107
-rw-r--r--src/gnutls-cli-options.json842
-rw-r--r--src/gnutls-serv-options.json650
-rw-r--r--src/ocsptool-options.json318
-rw-r--r--src/p11tool-options.json881
-rw-r--r--src/psktool-options.json109
-rw-r--r--src/srptool-options.json140
-rw-r--r--src/systemkey-tool-options.json97
-rw-r--r--src/tpmtool-options.json276
25 files changed, 2502 insertions, 4117 deletions
diff --git a/.gitignore b/.gitignore
index 82d976079d..68181698a0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -272,12 +272,16 @@ Makefile.user
*.out
*.plist
python/__pycache__/
+python/cligen
+python/cli-*gen.py
src/benchmark
src/benchmark-cipher
src/benchmark-tls
src/certtool
src/certtool-options.c
src/certtool-options.h
+src/cli-cfg.c
+src/cli-cfg.h
src/dumpcfg
src/gnutls-cli-options.c
src/gnutls-cli-options.h
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c74e7d66ab..ddf766aa8c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -540,8 +540,6 @@ fedora-static-analyzers/test:
paths:
- cache/cppcheck
script:
- - MYPYPATH=$PWD/python mypy python/*.py doc/scripts/*.py src/*.py
- - flake8 python/*.py doc/scripts/*.py src/*.py
- mkdir -p cache/cppcheck
- cppcheck --cppcheck-build-dir=cache/cppcheck --force -q -Ilib/includes -Igl/ -Ilib/ -I. --error-exitcode=1 lib/ -i lib/unistring -i lib/minitasn1 -i lib/nettle/backport -i lib/nettle/ecc -j2 $CPPCHECK_OPTIONS
- cppcheck --cppcheck-build-dir=cache/cppcheck --force -q -Ilib/includes -Igl/ -Ilibdane/ -I. --error-exitcode=1 libdane/ -j2 $CPPCHECK_OPTIONS
diff --git a/.gitmodules b/.gitmodules
index 7c2637e346..b5e27b90eb 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -22,3 +22,6 @@
[submodule "devel/abi-dump"]
path = devel/abi-dump
url = https://gitlab.com/gnutls/abi-dump.git
+[submodule "devel/cligen"]
+ path = devel/cligen
+ url = https://gitlab.com/gnutls/cligen.git
diff --git a/bootstrap.conf b/bootstrap.conf
index 4392236bbc..33bd1f229d 100644
--- a/bootstrap.conf
+++ b/bootstrap.conf
@@ -23,7 +23,7 @@ gnulib_tool_option_extras="--without-tests --avoid=alignof-tests --avoid=lock-te
use_libtool=1
checkout_only_file=
local_gl_dir=gl/override/
-required_submodules="tests/suite/tls-fuzzer/python-ecdsa tests/suite/tls-fuzzer/tlsfuzzer tests/suite/tls-fuzzer/tlslite-ng devel/abi-dump devel/nettle devel/openssl devel/libtasn1"
+required_submodules="tests/suite/tls-fuzzer/python-ecdsa tests/suite/tls-fuzzer/tlsfuzzer tests/suite/tls-fuzzer/tlslite-ng devel/abi-dump devel/cligen devel/nettle devel/openssl devel/libtasn1"
# Those modules are common to lib/ and src/.
common_modules="
@@ -93,4 +93,6 @@ EOF
devel/import-from-nettle.sh
devel/import-minitasn1.sh
+
+ make -C devel/cligen install DESTDIR=$PWD/python || return 1
}
diff --git a/devel/cligen b/devel/cligen
new file mode 160000
+Subproject 8b12ee6f36349f9f39d5a244347ba616116d621
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 9c8e9141fd..a7a54df465 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -40,14 +40,23 @@ endif
-include $(top_srcdir)/doc/doc.mk
+CLIGEN_ARGS = \
+ --bug-email bugs@gnutls.org \
+ --copyright-year 2000-2021 \
+ --copyright-holder 'Free Software Foundation, and others' \
+ --license gpl3+ \
+ --package '$(PACKAGE)' \
+ --version '$(VERSION)'
+
INVOKE_GNUTLS_CLI_TEXI_DEPS = gnutls-cli-see-also.texi gnutls-cli-examples.texi
EXTRA_DIST += $(INVOKE_GNUTLS_CLI_TEXI_DEPS)
invoke-gnutls-cli.texi: $(INVOKE_GNUTLS_CLI_TEXI_DEPS)
invoke-gnutls-cli.texi: $(top_srcdir)/src/gnutls-cli-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
- --see-also $(srcdir)/gnutls-cli-see-also.texi \
- --examples $(srcdir)/gnutls-cli-examples.texi \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format texi $(CLIGEN_ARGS) \
+ --include see-also=$(srcdir)/gnutls-cli-see-also.texi \
+ --include examples=$(srcdir)/gnutls-cli-examples.texi \
$< $@
INVOKE_GNUTLS_CLI_DEBUG_TEXI_DEPS = gnutls-cli-debug-see-also.texi gnutls-cli-debug-examples.texi
@@ -55,9 +64,10 @@ EXTRA_DIST += $(INVOKE_GNUTLS_CLI_DEBUG_TEXI_DEPS)
invoke-gnutls-cli-debug.texi: $(INVOKE_GNUTLS_CLI_DEBUG_TEXI_DEPS)
invoke-gnutls-cli-debug.texi: $(top_srcdir)/src/gnutls-cli-debug-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
- --see-also $(srcdir)/gnutls-cli-debug-see-also.texi \
- --examples $(srcdir)/gnutls-cli-debug-examples.texi \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format texi $(CLIGEN_ARGS) \
+ --include see-also=$(srcdir)/gnutls-cli-debug-see-also.texi \
+ --include examples=$(srcdir)/gnutls-cli-debug-examples.texi \
$< $@
INVOKE_GNUTLS_SERV_TEXI_DEPS = gnutls-serv-see-also.texi gnutls-serv-examples.texi
@@ -65,9 +75,10 @@ EXTRA_DIST += $(INVOKE_GNUTLS_SERV_TEXI_DEPS)
invoke-gnutls-serv.texi: $(INVOKE_GNUTLS_SERV_TEXI_DEPS)
invoke-gnutls-serv.texi: $(top_srcdir)/src/gnutls-serv-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
- --see-also $(srcdir)/gnutls-serv-see-also.texi \
- --examples $(srcdir)/gnutls-serv-examples.texi \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format texi $(CLIGEN_ARGS) \
+ --include see-also=$(srcdir)/gnutls-serv-see-also.texi \
+ --include examples=$(srcdir)/gnutls-serv-examples.texi \
$< $@
INVOKE_CERTTOOL_TEXI_DEPS = certtool-see-also.texi certtool-examples.texi certtool-files.texi
@@ -75,10 +86,11 @@ EXTRA_DIST += $(INVOKE_CERTTOOL_TEXI_DEPS)
invoke-certtool.texi: $(INVOKE_CERTTOOL_TEXI_DEPS)
invoke-certtool.texi: $(top_srcdir)/src/certtool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
- --see-also $(srcdir)/certtool-see-also.texi \
- --examples $(srcdir)/certtool-examples.texi \
- --files $(srcdir)/certtool-files.texi \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format texi $(CLIGEN_ARGS) \
+ --include see-also=$(srcdir)/certtool-see-also.texi \
+ --include examples=$(srcdir)/certtool-examples.texi \
+ --include files=$(srcdir)/certtool-files.texi \
--level 1 \
--section-node \
$< $@
@@ -88,10 +100,11 @@ EXTRA_DIST += $(INVOKE_OCSPTOOL_TEXI_DEPS)
invoke-ocsptool.texi: $(INVOKE_OCSPTOOL_TEXI_DEPS)
invoke-ocsptool.texi: $(top_srcdir)/src/ocsptool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
- --see-also $(srcdir)/ocsptool-see-also.texi \
- --examples $(srcdir)/ocsptool-examples.texi \
- --description $(srcdir)/ocsptool-description.texi \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format texi $(CLIGEN_ARGS) \
+ --include see-also=$(srcdir)/ocsptool-see-also.texi \
+ --include examples=$(srcdir)/ocsptool-examples.texi \
+ --include description=$(srcdir)/ocsptool-description.texi \
--level 1 \
--section-node \
$< $@
@@ -101,9 +114,10 @@ EXTRA_DIST += $(INVOKE_DANETOOL_TEXI_DEPS)
invoke-danetool.texi: $(INVOKE_DANETOOL_TEXI_DEPS)
invoke-danetool.texi: $(top_srcdir)/src/danetool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
- --see-also $(srcdir)/danetool-see-also.texi \
- --examples $(srcdir)/danetool-examples.texi \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format texi $(CLIGEN_ARGS) \
+ --include see-also=$(srcdir)/danetool-see-also.texi \
+ --include examples=$(srcdir)/danetool-examples.texi \
--level 1 \
--section-node \
$< $@
@@ -113,9 +127,10 @@ EXTRA_DIST += $(INVOKE_SRPTOOL_TEXI_DEPS)
invoke-srptool.texi: $(INVOKE_SRPTOOL_TEXI_DEPS)
invoke-srptool.texi: $(top_srcdir)/src/srptool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
- --see-also $(srcdir)/srptool-see-also.texi \
- --examples $(srcdir)/srptool-examples.texi \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format texi $(CLIGEN_ARGS) \
+ --include see-also=$(srcdir)/srptool-see-also.texi \
+ --include examples=$(srcdir)/srptool-examples.texi \
--level 2 \
--section-node \
$< $@
@@ -125,9 +140,10 @@ EXTRA_DIST += $(INVOKE_PSKTOOL_TEXI_DEPS)
invoke-psktool.texi: $(INVOKE_PSKTOOL_TEXI_DEPS)
invoke-psktool.texi: $(top_srcdir)/src/psktool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
- --see-also $(srcdir)/psktool-see-also.texi \
- --examples $(srcdir)/psktool-examples.texi \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format texi $(CLIGEN_ARGS) \
+ --include see-also=$(srcdir)/psktool-see-also.texi \
+ --include examples=$(srcdir)/psktool-examples.texi \
--level 2 \
--section-node \
$< $@
@@ -137,9 +153,10 @@ EXTRA_DIST += $(INVOKE_P11TOOL_TEXI_DEPS)
invoke-p11tool.texi: $(INVOKE_P11TOOL_TEXI_DEPS)
invoke-p11tool.texi: $(top_srcdir)/src/p11tool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
- --see-also $(srcdir)/p11tool-see-also.texi \
- --examples $(srcdir)/p11tool-examples.texi \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format texi $(CLIGEN_ARGS) \
+ --include see-also=$(srcdir)/p11tool-see-also.texi \
+ --include examples=$(srcdir)/p11tool-examples.texi \
--level 1 \
--section-node \
$< $@
@@ -149,9 +166,10 @@ EXTRA_DIST += $(INVOKE_TPMTOOL_TEXI_DEPS)
invoke-tpmtool.texi: $(INVOKE_TPMTOOL_TEXI_DEPS)
invoke-tpmtool.texi: $(top_srcdir)/src/tpmtool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
- --see-also $(srcdir)/tpmtool-see-also.texi \
- --examples $(srcdir)/tpmtool-examples.texi \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format texi $(CLIGEN_ARGS) \
+ --include see-also=$(srcdir)/tpmtool-see-also.texi \
+ --include examples=$(srcdir)/tpmtool-examples.texi \
--level 1 \
--section-node \
$< $@
@@ -172,7 +190,7 @@ AUTOGENED_DOC = invoke-gnutls-cli.texi invoke-gnutls-cli-debug.texi \
invoke-ocsptool.texi invoke-psktool.texi invoke-p11tool.texi \
invoke-tpmtool.texi invoke-danetool.texi
-$(AUTOGENED_DOC): $(srcdir)/scripts/gen-cmd-texi.py
+$(AUTOGENED_DOC): $(top_srcdir)/python/cli-docgen.py
gnutls_TEXINFOS += stamp_functions
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index e1686d390f..b4c5654a06 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -43,10 +43,11 @@ endif
EXTRA_DIST += $(TOOLS_MANS) $(SRP_MANS) $(DANE_MANS)
MAINTAINERCLEANFILES += $(TOOLS_MANS) $(SRP_MANS) $(DANE_MANS)
-$(man_MANS): $(top_srcdir)/doc/scripts/gen-cmd-man.py
+$(man_MANS): $(top_srcdir)/python/cli-docgen.py
-GEN_CMD_MAN_OPTIONS = \
+CLIGEN_ARGS = \
--license=gpl3+ \
+ --package '$(PACKAGE)' \
--version='$(VERSION)' \
--authors='Nikos Mavrogiannopoulos, Simon Josefsson and others; see /usr/share/doc/gnutls/AUTHORS for a complete list.' \
--copyright-year=2020-2021 \
@@ -56,93 +57,93 @@ GEN_CMD_MAN_OPTIONS = \
certtool.1: $(top_srcdir)/doc/certtool-see-also.texi $(top_srcdir)/doc/certtool-examples.texi $(top_srcdir)/doc/certtool-files.texi
certtool.1: $(top_srcdir)/src/certtool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(top_srcdir)/doc/scripts/gen-cmd-man.py \
- --see-also $(top_srcdir)/doc/certtool-see-also.texi \
- --examples $(top_srcdir)/doc/certtool-examples.texi \
- --files $(top_srcdir)/doc/certtool-files.texi \
- $(GEN_CMD_MAN_OPTIONS) \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format man $(CLIGEN_ARGS) \
+ --include see-also=$(top_srcdir)/doc/certtool-see-also.texi \
+ --include examples=$(top_srcdir)/doc/certtool-examples.texi \
+ --include files=$(top_srcdir)/doc/certtool-files.texi \
$< $@
ocsptool.1: $(top_srcdir)/doc/ocsptool-see-also.texi $(top_srcdir)/doc/ocsptool-examples.texi $(top_srcdir)/doc/ocsptool-description.texi
ocsptool.1: $(top_srcdir)/src/ocsptool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(top_srcdir)/doc/scripts/gen-cmd-man.py \
- --see-also $(top_srcdir)/doc/ocsptool-see-also.texi \
- --examples $(top_srcdir)/doc/ocsptool-examples.texi \
- --description $(top_srcdir)/doc/ocsptool-description.texi \
- $(GEN_CMD_MAN_OPTIONS) \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format man $(CLIGEN_ARGS) \
+ --include see-also=$(top_srcdir)/doc/ocsptool-see-also.texi \
+ --include examples=$(top_srcdir)/doc/ocsptool-examples.texi \
+ --include description=$(top_srcdir)/doc/ocsptool-description.texi \
$< $@
danetool.1: $(top_srcdir)/doc/danetool-see-also.texi $(top_srcdir)/doc/danetool-examples.texi
danetool.1: $(top_srcdir)/src/danetool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(top_srcdir)/doc/scripts/gen-cmd-man.py \
- --see-also $(top_srcdir)/doc/danetool-see-also.texi \
- --examples $(top_srcdir)/doc/danetool-examples.texi \
- $(GEN_CMD_MAN_OPTIONS) \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format man $(CLIGEN_ARGS) \
+ --include see-also=$(top_srcdir)/doc/danetool-see-also.texi \
+ --include examples=$(top_srcdir)/doc/danetool-examples.texi \
$< $@
gnutls-cli.1: $(top_srcdir)/doc/gnutls-cli-see-also.texi $(top_srcdir)/doc/gnutls-cli-examples.texi
gnutls-cli.1: $(top_srcdir)/src/gnutls-cli-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(top_srcdir)/doc/scripts/gen-cmd-man.py \
- --see-also $(top_srcdir)/doc/gnutls-cli-see-also.texi \
- --examples $(top_srcdir)/doc/gnutls-cli-examples.texi \
- $(GEN_CMD_MAN_OPTIONS) \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format man $(CLIGEN_ARGS) \
+ --include see-also=$(top_srcdir)/doc/gnutls-cli-see-also.texi \
+ --include examples=$(top_srcdir)/doc/gnutls-cli-examples.texi \
$< $@
gnutls-serv.1: $(top_srcdir)/doc/gnutls-serv-see-also.texi $(top_srcdir)/doc/gnutls-serv-examples.texi
gnutls-serv.1: $(top_srcdir)/src/gnutls-serv-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(top_srcdir)/doc/scripts/gen-cmd-man.py \
- --see-also $(top_srcdir)/doc/gnutls-serv-see-also.texi \
- --examples $(top_srcdir)/doc/gnutls-serv-examples.texi \
- $(GEN_CMD_MAN_OPTIONS) \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format man $(CLIGEN_ARGS) \
+ --include see-also=$(top_srcdir)/doc/gnutls-serv-see-also.texi \
+ --include examples=$(top_srcdir)/doc/gnutls-serv-examples.texi \
$< $@
gnutls-cli-debug.1: $(top_srcdir)/doc/gnutls-cli-debug-see-also.texi $(top_srcdir)/doc/gnutls-cli-debug-examples.texi
gnutls-cli-debug.1: $(top_srcdir)/src/gnutls-cli-debug-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(top_srcdir)/doc/scripts/gen-cmd-man.py \
- --see-also $(top_srcdir)/doc/gnutls-cli-debug-see-also.texi \
- --examples $(top_srcdir)/doc/gnutls-cli-debug-examples.texi \
- $(GEN_CMD_MAN_OPTIONS) \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format man $(CLIGEN_ARGS) \
+ --include see-also=$(top_srcdir)/doc/gnutls-cli-debug-see-also.texi \
+ --include examples=$(top_srcdir)/doc/gnutls-cli-debug-examples.texi \
$< $@
srptool.1: $(top_srcdir)/doc/srptool-see-also.texi $(top_srcdir)/doc/srptool-examples.texi
srptool.1: $(top_srcdir)/src/srptool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(top_srcdir)/doc/scripts/gen-cmd-man.py \
- --see-also $(top_srcdir)/doc/srptool-see-also.texi \
- --examples $(top_srcdir)/doc/srptool-examples.texi \
- $(GEN_CMD_MAN_OPTIONS) \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format man $(CLIGEN_ARGS) \
+ --include see-also=$(top_srcdir)/doc/srptool-see-also.texi \
+ --include examples=$(top_srcdir)/doc/srptool-examples.texi \
$< $@
p11tool.1: $(top_srcdir)/doc/p11tool-see-also.texi $(top_srcdir)/doc/p11tool-examples.texi
p11tool.1: $(top_srcdir)/src/p11tool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(top_srcdir)/doc/scripts/gen-cmd-man.py \
- --see-also $(top_srcdir)/doc/p11tool-see-also.texi \
- --examples $(top_srcdir)/doc/p11tool-examples.texi \
- $(GEN_CMD_MAN_OPTIONS) \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format man $(CLIGEN_ARGS) \
+ --include see-also=$(top_srcdir)/doc/p11tool-see-also.texi \
+ --include examples=$(top_srcdir)/doc/p11tool-examples.texi \
$< $@
tpmtool.1: $(top_srcdir)/doc/tpmtool-see-also.texi $(top_srcdir)/doc/tpmtool-examples.texi
tpmtool.1: $(top_srcdir)/src/tpmtool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(top_srcdir)/doc/scripts/gen-cmd-man.py \
- --see-also $(top_srcdir)/doc/tpmtool-see-also.texi \
- --examples $(top_srcdir)/doc/tpmtool-examples.texi \
- $(GEN_CMD_MAN_OPTIONS) \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format man $(CLIGEN_ARGS) \
+ --include see-also=$(top_srcdir)/doc/tpmtool-see-also.texi \
+ --include examples=$(top_srcdir)/doc/tpmtool-examples.texi \
$< $@
psktool.1: $(top_srcdir)/doc/psktool-see-also.texi $(top_srcdir)/doc/psktool-examples.texi
psktool.1: $(top_srcdir)/src/psktool-options.json
$(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(top_srcdir)/doc/scripts/gen-cmd-man.py \
- --see-also $(top_srcdir)/doc/psktool-see-also.texi \
- --examples $(top_srcdir)/doc/psktool-examples.texi \
- $(GEN_CMD_MAN_OPTIONS) \
+ $(PYTHON) $(top_srcdir)/python/cli-docgen.py \
+ --format man $(CLIGEN_ARGS) \
+ --include see-also=$(top_srcdir)/doc/psktool-see-also.texi \
+ --include examples=$(top_srcdir)/doc/psktool-examples.texi \
$< $@
APIMANS =
diff --git a/doc/scripts/Makefile.am b/doc/scripts/Makefile.am
index f1992c73fe..b5b32fb1e7 100644
--- a/doc/scripts/Makefile.am
+++ b/doc/scripts/Makefile.am
@@ -17,4 +17,4 @@
# along with this file; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-EXTRA_DIST = gdoc sort2.pl split-texi.pl getfuncs.pl getfuncs-map.pl gen-cmd-texi.py gen-cmd-man.py
+EXTRA_DIST = gdoc sort2.pl split-texi.pl getfuncs.pl getfuncs-map.pl
diff --git a/doc/scripts/gen-cmd-man.py b/doc/scripts/gen-cmd-man.py
deleted file mode 100644
index dbff09f94e..0000000000
--- a/doc/scripts/gen-cmd-man.py
+++ /dev/null
@@ -1,348 +0,0 @@
-#!/usr/bin/python
-# Copyright (C) 2021 Daiki Ueno
-
-# This file is part of GnuTLS.
-
-# GnuTLS is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-
-# GnuTLS is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see
-# <https://www.gnu.org/licenses/>.
-
-from typing import Mapping, Optional, TextIO, Sequence
-import datetime
-import io
-import re
-import jsonopts
-
-
-def gen_option_docs(meta: Mapping[str, str],
- options: Sequence[Mapping[str, str]]) -> str:
- docs = io.StringIO()
- for option in options:
- long_opt = option['long-option']
- long_opt_escaped = long_opt.replace('-', '\\-')
- short_opt = option.get('short-option')
- detail = option.get('detail')
- desc = option.get('desc')
- disable_prefix = option.get('disable-prefix')
- if disable_prefix:
- disable_opt: Optional[str] = f'{disable_prefix}{long_opt}'
- else:
- disable_opt = None
- alias = option.get('aliases')
- if alias:
- docs.write(f'''\
-.TP
-.NOP \\f\\*[B-Font]\\-\\-{long_opt_escaped}\\f[]
-This is an alias for the \\fI--{alias}\\fR option.
-''')
- if 'deprecated' in option:
- docs.write('''\
-.sp
-.B
-NOTE: THIS OPTION IS DEPRECATED
-''')
- continue
-
- arg_type = option.get('arg-type')
- if arg_type:
- arg_name = option.get('arg-name', arg_type).lower()
- arg = f'\\f\\*[I-Font]{arg_name}\\f[]'
- long_arg = f'={arg}'
- short_arg = f' {arg}'
- else:
- long_arg = ''
- short_arg = ''
- formatted_options = list()
- if short_opt:
- formatted_options.append(
- f'\\f\\*[B-Font]\\-{short_opt}\\f[]{short_arg}'
- )
- formatted_options.append(
- f'\\f\\*[B-Font]\\-\\-{long_opt_escaped}\\f[]{long_arg}'
- )
- if disable_opt:
- disable_opt_escaped = disable_opt.replace('-', '\\-')
- formatted_options.append(
- f'\\f\\*[B-Font]\\-\\-{disable_opt_escaped}\\f[]'
- )
- docs.write(f'''\
-.TP
-.NOP {', '.join(formatted_options)}
-''')
- if desc and desc[0].isupper():
- docs.write(f'{desc}.\n')
- if 'stack-arg' in option:
- docs.write(
- 'This option may appear an unlimited number of times.\n'
- )
- if arg_type == 'number':
- docs.write(
- 'This option takes an integer number as its argument.\n'
- )
- arg_min = option.get('arg-min')
- arg_max = option.get('arg-max')
- if arg_min and arg_max:
- docs.write(f'''\
-The value of
-\\f\\*[I-Font]{arg_name}\\f[]
-is constrained to being:
-.in +4
-.nf
-.na
-in the range {arg_min} through {arg_max}
-.fi
-.in -4
-''')
- conflict_opts = option.get('conflicts', '').split()
- if len(conflict_opts) > 0:
- docs.write(f'''\
-This option must not appear in combination with any of the following options:
-{', '.join(conflict_opts)}.
-''')
- require_opts = option.get('requires', '').split()
- if len(require_opts) > 0:
- docs.write(f'''\
-This option must appear in combination with the following options:
-{', '.join(require_opts)}.
-''')
- if disable_opt:
- disable_opt_escaped = disable_opt.replace('-', '\\-')
- docs.write((
- f'The \\fI{disable_opt_escaped}\\fP form '
- 'will disable the option.\n'
- ))
- if 'enabled' in option:
- docs.write('This option is enabled by default.\n')
- if desc and desc[0].isupper():
- docs.write('.sp\n')
- if detail:
- docs.write(f'{text_to_man(detail)}\n')
- if 'deprecated' in option:
- docs.write('''\
-.sp
-.B
-NOTE: THIS OPTION IS DEPRECATED
-''')
- return docs.getvalue()
-
-
-def text_to_man(s: str) -> str:
- s = re.sub(r'-', r'\\-', s)
- s = re.sub(r'(?m)^$', r'.sp', s)
- s = re.sub(r"``(.*)''", r'\\(lq\1\\(rq', s)
- return s
-
-
-def texi_to_man(s: str) -> str:
- s = text_to_man(s)
- s = re.sub(r'@([{}@])', r'\1', s)
- s = re.sub(r'@code\{(.*?)\}', r'\\fB\1\\fP', s)
- s = re.sub(r'@file\{(.*?)\}', r'\\fI\1\\fP', s)
- s = re.sub(r'@subheading (.*)', r'''.br
-\\fB\1\\fP
-.br''', s)
- s = re.sub(r'@example', r'''.br
-.in +4
-.nf''', s)
- s = re.sub(r'@end example', r'''.in -4
-.fi''', s)
- return s
-
-
-def include(name: str, includes: Mapping[str, TextIO]) -> str:
- docs = io.StringIO()
- f = includes.get(name)
- if f:
- docs.write(texi_to_man(f.read().strip()))
- return docs.getvalue()
-
-
-LICENSES = {
- 'gpl3+': 'the GNU General Public License, version 3 or later',
-}
-
-
-def gen(infile: TextIO,
- meta: Mapping[str, str],
- includes: Mapping[str, TextIO],
- man: TextIO):
- sections = [jsonopts.Section.from_json(section)
- for section in json.load(args.json)]
- sections.append(jsonopts.Section.default())
-
- prog_name = sections[0].meta['prog-name']
- prog_title = sections[0].meta['prog-title']
- argument = sections[0].meta.get('argument')
- authors = meta.get('authors', 'AUTHORS')
- copyright_year = meta.get('copyright-year',
- str(datetime.date.today().year))
- copyright_holder = meta.get('copyright-holder', 'COPYRIGHT HOLDER')
- license_text = LICENSES.get(meta['license'])
- version = meta.get('version', '')
- description = includes.get('description')
- if description:
- detail = texi_to_man(description.read())
- else:
- detail = sections[0].meta['detail']
-
- section_docs = io.StringIO()
- for section in sections:
- section_id = section.meta.get('id', '')
- if section_id:
- section_desc = section.meta['desc']
- option_docs = gen_option_docs(sections[0].meta, section.options)
- section_docs.write(f'''\
-.SS "{section_desc}"
-{option_docs}\
-''')
- else:
- section_docs.write(gen_option_docs(sections[0].meta,
- section.options))
-
- formatted_date = datetime.date.today().strftime('%d %b %Y')
- detail_concatenated = '\n.sp\n'.join(detail.strip().split('\n\n'))
- man.write(f'''\
-.de1 NOP
-. it 1 an-trap
-. if \\\\n[.$] \\,\\\\$*\\/
-..
-.ie t \\
-.ds B-Font [CB]
-.ds I-Font [CI]
-.ds R-Font [CR]
-.el \\
-.ds B-Font B
-.ds I-Font I
-.ds R-Font R
-.TH {prog_name} 1 "{formatted_date}" "{version}" "User Commands"
-.SH NAME
-\\f\\*[B-Font]{prog_name}\\fP
-\\- {prog_title}
-.SH SYNOPSIS
-\\f\\*[B-Font]{prog_name}\\fP
-.\\" Mixture of short (flag) options and long options
-[\\f\\*[B-Font]\\-flags\\f[]]
-[\\f\\*[B-Font]\\-flag\\f[] [\\f\\*[I-Font]value\\f[]]]
-[\\f\\*[B-Font]\\-\\-option-name\\f[][[=| ]\\f\\*[I-Font]value\\f[]]]
-''')
- if argument:
- man.write(f'''\
-{argument}
-.sp \\n(Ppu
-.ne 2
-
-Operands and options may be intermixed. They will be reordered.
-.sp \\n(Ppu
-.ne 2
-''')
- else:
- man.write('''\
-.sp \\n(Ppu
-.ne 2
-
-All arguments must be options.
-.sp \\n(Ppu
-.ne 2
-''')
- man.write(f'''\
-.SH "DESCRIPTION"
-{detail_concatenated}
-.sp
-.SH "OPTIONS"
-{section_docs.getvalue()}
-''')
- if 'files' in includes:
- man.write(f'''\
-.SH FILES
-{include('files', includes)}
-''')
- if 'examples' in includes:
- man.write(f'''\
-.sp
-.SH EXAMPLES
-{include('examples', includes)}
-''')
- man.write('''\
-.SH "EXIT STATUS"
-One of the following exit values will be returned:
-.TP
-.NOP 0 " (EXIT_SUCCESS)"
-Successful program execution.
-.TP
-.NOP 1 " (EXIT_FAILURE)"
-The operation failed or the command syntax was not valid.
-.PP
-''')
- if 'see-also' in includes:
- man.write(f'''\
-.SH "SEE ALSO"
-{include('see-also', includes)}
-''')
- man.write(f'''\
-.SH "AUTHORS"
-{authors}
-.SH "COPYRIGHT"
-Copyright (C) {copyright_year} {copyright_holder}
-This program is released under the terms of {license_text}.
-''')
- bug_email = meta.get('bug-email')
- if bug_email:
- man.write(f'''\
-.SH "BUGS"
-Please send bug reports to: {bug_email}
-''')
-
-
-if __name__ == '__main__':
- import argparse
- import json
-
- parser = argparse.ArgumentParser(description='generate man-page')
- parser.add_argument('json', type=argparse.FileType('r'))
- parser.add_argument('man', type=argparse.FileType('w'))
- parser.add_argument('--description', type=argparse.FileType('r'))
- parser.add_argument('--see-also', type=argparse.FileType('r'))
- parser.add_argument('--examples', type=argparse.FileType('r'))
- parser.add_argument('--files', type=argparse.FileType('r'))
- parser.add_argument('--authors', help='authors')
- parser.add_argument('--bug-email', help='bug report email address')
- parser.add_argument('--copyright-year', help='copyright year')
- parser.add_argument('--copyright-holder', help='copyright holder')
- parser.add_argument('--license', help='license')
- parser.add_argument('--version', help='version')
-
- args = parser.parse_args()
- includes = dict()
- if args.see_also:
- includes['see-also'] = args.see_also
- if args.examples:
- includes['examples'] = args.examples
- if args.files:
- includes['files'] = args.files
- if args.description:
- includes['description'] = args.description
- meta = dict()
- if args.authors:
- meta['authors'] = args.authors
- if args.bug_email:
- meta['bug-email'] = args.bug_email
- if args.copyright_year:
- meta['copyright-year'] = args.copyright_year
- if args.copyright_holder:
- meta['copyright-holder'] = args.copyright_holder
- if args.license:
- meta['license'] = args.license
- if args.version:
- meta['version'] = args.version
-
- gen(args.json, meta, includes, args.man)
diff --git a/doc/scripts/gen-cmd-texi.py b/doc/scripts/gen-cmd-texi.py
deleted file mode 100644
index 097eda81c1..0000000000
--- a/doc/scripts/gen-cmd-texi.py
+++ /dev/null
@@ -1,267 +0,0 @@
-#!/usr/bin/python
-# Copyright (C) 2021 Daiki Ueno
-
-# This file is part of GnuTLS.
-
-# GnuTLS is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-
-# GnuTLS is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see
-# <https://www.gnu.org/licenses/>.
-
-from typing import Mapping, Sequence, TextIO
-import io
-import jsonopts
-
-HEADINGS = ['@heading', '@subheading', '@subsubheading']
-
-
-def get_heading(level: int) -> str:
- return HEADINGS[min(level, len(HEADINGS)-1)]
-
-
-SECTIONS = ['@section', '@subsection', '@subsubsection']
-
-
-def get_section(level: int) -> str:
- return SECTIONS[min(level, len(SECTIONS)-1)]
-
-
-def shift_headings(s: str, level: int) -> str:
- for (i, h) in reversed(list(enumerate(HEADINGS))):
- r = get_heading(level+i)
- s = s.replace(h, r)
- return s
-
-
-def gen_option_docs(meta: Mapping[str, str],
- level: int,
- options: Sequence[Mapping[str, str]]) -> str:
- prog_name = meta['prog-name']
- docs = io.StringIO()
- for option in options:
- long_opt = option['long-option']
- short_opt = option.get('short-option')
- detail = option.get('detail')
- desc = option.get('desc')
- alias = option.get('aliases')
- if alias:
- docs.write(f'''\
-{get_heading(level+1)} {long_opt} option.
-@anchor{{{prog_name} {long_opt}}}
-
-This is an alias for the @code{{{alias}}} option,
-@pxref{{{prog_name} {alias}, the {alias} option documentation}}.
-
-''')
- continue
-
- if not detail or not desc:
- continue
- if short_opt:
- docs.write(
- f'{get_heading(level+1)} {long_opt} option (-{short_opt}).\n'
- )
- else:
- docs.write(f'{get_heading(level+1)} {long_opt} option.\n')
- docs.write(f'''\
-@anchor{{{prog_name} {long_opt}}}
-
-This is the ``{desc.lower()}'' option.
-''')
- arg_type = option.get('arg-type')
- if arg_type:
- arg_name = option.get('arg-name')
- if arg_name:
- docs.write((
- f'This option takes a {arg_type} argument '
- f'@file{{{arg_name}}}.\n'
- ))
- else:
- docs.write(f'This option takes a {arg_type} argument.\n')
-
- conflict_opts = option.get('conflicts', '').split()
- require_opts = option.get('requires', '').split()
- disable_prefix = option.get('disable-prefix')
- if len(conflict_opts) > 0 or len(require_opts) > 0 or \
- ('enabled' in option):
- docs.write('''
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-''')
- if len(conflict_opts) > 0:
- docs.write(f'''\
-@item
-must not appear in combination with any of the following options:
-{', '.join(conflict_opts)}.
-''')
- if len(require_opts) > 0:
- docs.write(f'''\
-@item
-must appear in combination with the following options:
-{', '.join(require_opts)}.
-''')
- if disable_prefix:
- docs.write(f'''\
-@item
-can be disabled with --{disable_prefix}{long_opt}.
-''')
- if 'enabled' in option:
- docs.write('''\
-@item
-It is enabled by default.
-''')
- docs.write('@end itemize\n\n')
-
- docs.write(f'''\
-{detail}
-''')
- if 'deprecated' in option:
- docs.write('\n@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}\n')
-
- return docs.getvalue()
-
-
-LABELS = {
- 'see-also': 'See Also',
- 'examples': 'Examples',
- 'files': 'Files'
-}
-
-
-def include(meta: Mapping[str, str],
- level: int,
- name: str,
- includes: Mapping[str, TextIO]) -> str:
- prog_name = meta['prog-name']
- docs = io.StringIO()
- f = includes.get(name)
- if f:
- docs.write(f'''\
-@anchor{{{prog_name} {LABELS[name]}}}
-{get_heading(level+2)} {prog_name} {LABELS[name]}
-{shift_headings(f.read(), level)}\
-''')
- return docs.getvalue()
-
-
-def escape_texi(s: str) -> str:
- for c in ['@', '{', '}']:
- s = s.replace(c, f'@{c}')
- return s
-
-
-def gen(infile: TextIO,
- level: int,
- section_node: bool,
- includes: Mapping[str, TextIO],
- texi: TextIO):
- sections = [jsonopts.Section.from_json(section)
- for section in json.load(args.json)]
- sections.append(jsonopts.Section.default())
-
- prog_name = sections[0].meta['prog-name']
- description = includes.get('description')
- if description:
- detail = description.read()
- else:
- detail = sections[0].meta['detail']
-
- section_docs = io.StringIO()
- for section in sections:
- section_id = section.meta.get('id', '')
- if section_id:
- section_desc = section.meta['desc']
- option_docs = gen_option_docs(sections[0].meta, level+1,
- section.options)
- section_docs.write(f'''\
-@anchor{{{prog_name} {section_id}}}
-{get_heading(level+1)} {section_id} options
-{section_desc if section_desc.endswith('.') else section_desc + '.'}
-{option_docs}\
-''')
- else:
- section_docs.write(gen_option_docs(sections[0].meta, level,
- section.options))
-
- heading = get_section(level) if section_node else get_heading(level)
- texi.write(f'''\
-@node {prog_name} Invocation
-{heading} Invoking {prog_name}
-@pindex {prog_name}
-
-{detail}
-
-@anchor{{{prog_name} usage}}
-{get_heading(level+1)} {prog_name} help/usage (@option{{-?}})
-@cindex {prog_name} help
-
-The text printed is the same whether selected with the @code{{help}} option
-(@option{{--help}}) or the @code{{more-help}} option \
-(@option{{--more-help}}). @code{{more-help}} will print
-the usage text by passing it through a pager program.
-@code{{more-help}} is disabled on platforms without a working
-@code{{fork(2)}} function. The @code{{PAGER}} environment variable is
-used to select the program, defaulting to @file{{more}}. Both will exit
-with a status code of 0.
-
-@exampleindent 0
-@example
-{escape_texi(jsonopts.usage(sections[0].meta, sections))}
-@end example
-@exampleindent 4
-
-{section_docs.getvalue()}\
-@anchor{{{prog_name} exit status}}
-{get_heading(level+1)} {prog_name} exit status
-
-One of the following exit values will be returned:
-@table @samp
-@item 0 (EXIT_SUCCESS)
-Successful program execution.
-@item 1 (EXIT_FAILURE)
-The operation failed or the command syntax was not valid.
-@end table
-''')
- if 'see-also' in includes:
- texi.write(include(sections[0].meta, level, 'see-also', includes))
- if 'examples' in includes:
- texi.write(include(sections[0].meta, level, 'examples', includes))
- if 'files' in includes:
- texi.write(include(sections[0].meta, level, 'files', includes))
-
-
-if __name__ == '__main__':
- import argparse
- import json
-
- parser = argparse.ArgumentParser(description='generate texinfo')
- parser.add_argument('json', type=argparse.FileType('r'))
- parser.add_argument('texi', type=argparse.FileType('w'))
- parser.add_argument('--description', type=argparse.FileType('r'))
- parser.add_argument('--see-also', type=argparse.FileType('r'))
- parser.add_argument('--examples', type=argparse.FileType('r'))
- parser.add_argument('--files', type=argparse.FileType('r'))
- parser.add_argument('--level', type=int, default=0)
- parser.add_argument('--section-node', action='store_true')
-
- args = parser.parse_args()
- includes = dict()
- if args.see_also:
- includes['see-also'] = args.see_also
- if args.examples:
- includes['examples'] = args.examples
- if args.files:
- includes['files'] = args.files
- if args.description:
- includes['description'] = args.description
- gen(args.json, args.level, args.section_node, includes, args.texi)
diff --git a/python/Makefile.am b/python/Makefile.am
index 702c200309..4d210feb47 100644
--- a/python/Makefile.am
+++ b/python/Makefile.am
@@ -1 +1 @@
-EXTRA_DIST = jsonopts.py
+EXTRA_DIST = cligen cli-codegen.py cli-docgen.py
diff --git a/python/jsonopts.py b/python/jsonopts.py
deleted file mode 100644
index 0ee01de7dd..0000000000
--- a/python/jsonopts.py
+++ /dev/null
@@ -1,257 +0,0 @@
-# Copyright (C) 2021 Daiki Ueno
-
-# This file is part of GnuTLS.
-
-# GnuTLS is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-
-# GnuTLS is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see
-# <https://www.gnu.org/licenses/>.
-
-from typing import Mapping, NamedTuple, Optional, Sequence
-import datetime
-import io
-import textwrap
-
-
-class Section(NamedTuple):
- meta: Mapping[str, str]
- options: Sequence[Mapping[str, str]]
-
- @classmethod
- def from_json(cls, json):
- return cls(meta=json['meta'], options=json['options'])
-
- @classmethod
- def default(cls):
- return DEFAULT_SECTION
-
-
-# Default options
-DEFAULT_SECTION = Section(
- meta={
- 'desc': 'Version, usage and configuration options',
- },
- options=[{
- 'long-option': 'version',
- 'short-option': 'v',
- 'arg-type': 'keyword',
- 'arg-optional': '',
- 'desc': 'output version information and exit',
- 'detail': textwrap.fill(textwrap.dedent("""\
- Output version of program and exit.
- The default mode is `v', a simple version.
- The `c' mode will print copyright information and
- `n' will print the full copyright notice.\
- """), width=72, fix_sentence_endings=True)
- }, {
- 'long-option': 'help',
- 'short-option': 'h',
- 'desc': 'display extended usage information and exit',
- 'detail': 'Display usage information and exit.'
- }, {
- 'long-option': 'more-help',
- 'short-option': '!',
- 'desc': 'extended usage information passed thru pager',
- 'detail': 'Pass the extended usage information through a pager.'
- }]
-)
-
-ARG_TYPE_TO_VALUE = {
- 'string': 'str',
- 'number': 'num',
- 'file': 'file',
- 'keyword': 'arg',
-}
-
-
-def default_arg_name(s: str) -> str:
- return ARG_TYPE_TO_VALUE[s]
-
-
-def usage(meta: Mapping[str, str], sections: Sequence[Section]) -> str:
- prog_name = sections[0].meta['prog-name']
- prog_title = sections[0].meta["prog-title"]
- out = io.StringIO()
- out.write(f'{prog_name} - {prog_title}\n')
- argument = sections[0].meta.get('argument', '')
- out.write(
- f'Usage: {prog_name} '
- f'[ -<flag> [<val>] | --<name>[{{=| }}<val>] ]... {argument}\n'
- )
- for section in sections:
- desc = section.meta["desc"]
- out.write('\n')
- if desc != '':
- out.write(f'{desc}:\n\n')
- for option in section.options:
- if 'deprecated' in option:
- continue
- long_opt = option['long-option']
- short_opt = option.get('short-option')
- arg_type = option.get('arg-type')
- if short_opt:
- header = f' -{short_opt}, --{long_opt}'
- else:
- header = f' --{long_opt}'
- if arg_type:
- arg = ARG_TYPE_TO_VALUE.get(arg_type, 'arg')
- if 'arg-optional' in option:
- header += f'[={arg}]'
- else:
- header += f'={arg}'
- if len(header) < 30:
- header = header.ljust(30)
- elif arg_type:
- header += ' '
- else:
- header += ' '
- alias = option.get('aliases')
- if alias:
- option_desc = f"an alias for the '{alias}' option"
- else:
- option_desc = option['desc']
- out.write(f'{header}{option_desc}\n')
- conflict_opts = option.get('conflicts', '').split()
- if len(conflict_opts) == 1:
- out.write(
- f"\t\t\t\t- prohibits the option '{conflict_opts[0]}'\n"
- )
- elif len(conflict_opts) > 1:
- conflict_opts_concatenated = '\n'.join([
- f'\t\t\t\t{conflict_opt}' for conflict_opt in conflict_opts
- ])
- out.write(
- '\t\t\t\t- prohibits these options:\n' +
- conflict_opts_concatenated + '\n'
- )
- require_opts = option.get('requires', '').split()
- if len(require_opts) == 1:
- out.write(
- f"\t\t\t\t- requires the option '{require_opts[0]}'\n"
- )
- elif len(require_opts) > 1:
- require_opts_concatenated = '\n'.join([
- f'\t\t\t\t{require_opt}' for require_opt in require_opts
- ])
- out.write(
- '\t\t\t\t- requires these options:\n' +
- require_opts_concatenated + '\n'
- )
- file_exists = option.get('file-exists', 'no')
- if file_exists == 'yes':
- out.write('\t\t\t\t- file must pre-exist\n')
- disable_prefix = option.get('disable-prefix')
- if disable_prefix:
- out.write(
- f"\t\t\t\t- disabled as '--{disable_prefix}{long_opt}'\n"
- )
- if 'enabled' in option:
- out.write('\t\t\t\t- enabled by default\n')
- if 'max' in option:
- max_count = option.get('max')
- assert max_count == 'NOLIMIT', \
- f'max keyword with value {max_count} is not supported'
- out.write('\t\t\t\t- may appear multiple times\n')
- arg_min = option.get('arg-min')
- arg_max = option.get('arg-max')
- if arg_min and arg_max:
- out.write(
- '\t\t\t\t- it must be in the range:\n'
- f'\t\t\t\t {int(arg_min)} to {int(arg_max)}\n'
- )
- out.write(textwrap.dedent('''
- Options are specified by doubled hyphens and their name or by a single
- hyphen and the flag character.
- '''))
- if 'argument' in sections[0].meta:
- out.write(('Operands and options may be intermixed. '
- 'They will be reordered.\n'))
- out.write('\n' + sections[0].meta['detail'] + '\n')
- bug_email = meta.get('bug-email')
- if bug_email:
- out.write('\n' + f'Please send bug reports to: <{bug_email}>' + '\n')
- return out.getvalue()
-
-
-LICENSES = {
- 'gpl3+': textwrap.dedent('''\
- This is free software. It is licensed for use, modification and
- redistribution under the terms of the GNU General Public License,
- version 3 or later <http://gnu.org/licenses/gpl.html>
- ''')
-}
-FULL_LICENSES = {
- 'gpl3+': textwrap.dedent('''\
- This is free software. It is licensed for use, modification and
- redistribution under the terms of the GNU General Public License,
- version 3 or later <http://gnu.org/licenses/gpl.html>
-
- @prog_name@ is free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License
- as published by the Free Software Foundation,
- either version 3 of the License, or (at your option) any later version.
-
- @prog_name@ is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty
- of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
- See the GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
- ''')
-}
-
-
-def version(meta: Mapping[str, str], what='c') -> str:
- prog_name = meta['prog-name']
- version = meta.get('version', '0.0.0')
- license = meta.get('license', 'unknown')
- if license:
- license_text: Optional[str] = LICENSES[license]
- full_license_text: Optional[str] = FULL_LICENSES[license]
- else:
- license_text = None
- full_license_text = None
- copyright_year = meta.get('copyright-year',
- str(datetime.date.today().year))
- copyright_holder = meta.get('copyright-holder', 'COPYRIGHT HOLDER')
- bug_email = meta.get('bug-email')
-
- out = io.StringIO()
-
- if what == 'v':
- out.write(f'{prog_name} {version}')
- elif what == 'c':
- out.write(textwrap.dedent(f'''\
- {prog_name} {version}
- Copyright (C) {copyright_year} {copyright_holder}
- '''))
- if license_text:
- out.write(license_text)
- if bug_email:
- out.write(textwrap.dedent(f'''\
-
- Please send bug reports to: <{bug_email}>\
- '''))
- elif what == 'n':
- out.write(textwrap.dedent(f'''\
- {prog_name} {version}
- Copyright (C) {copyright_year} {copyright_holder}
- '''))
- if full_license_text:
- out.write(full_license_text.replace('@prog_name@', prog_name))
- if bug_email:
- out.write(textwrap.dedent(f'''\
-
- Please send bug reports to: <{bug_email}>\
- '''))
- return out.getvalue()
diff --git a/src/Makefile.am b/src/Makefile.am
index dabc97c0a4..628e45a92a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -42,7 +42,7 @@ OPTIONS_STAMP = \
BUILT_SOURCES = $(OPTIONS_BUILT)
-EXTRA_DIST = gen-mech-list.sh gen-getopt.py $(OPTIONS_JSON) $(OPTIONS_BUILT) $(OPTIONS_STAMP)
+EXTRA_DIST = gen-mech-list.sh $(OPTIONS_JSON) $(OPTIONS_BUILT) $(OPTIONS_STAMP)
MAINTAINERCLEANFILES = $(OPTIONS_BUILT) $(OPTIONS_STAMP)
@@ -236,19 +236,25 @@ dumpcfg_LDADD = ../gl/libgnu.la gl/libgnu_gpl.la
SUFFIXES = .stamp .json
-OPTIONS_STAMP: $(srcdir)/gen-getopt.py
+OPTIONS_STAMP: $(top_srcdir)/python/cli-codegen.py
+
+CLIGEN_ARGS = \
+ --bug-email bugs@gnutls.org \
+ --copyright-year 2000-2021 \
+ --copyright-holder 'Free Software Foundation, and others' \
+ --license gpl3+ \
+ --package '$(PACKAGE)' \
+ --version '$(VERSION)'
.json.stamp:
$(AM_V_GEN) { \
b=`echo $@ | sed 's/.stamp$$//'`; \
PYTHONPATH='$(top_srcdir)/python' \
- $(PYTHON) $(srcdir)/gen-getopt.py \
- --bug-email bugs@gnutls.org \
- --copyright-year 2000-2021 \
- --copyright-holder 'Free Software Foundation, and others' \
- --license gpl3+ \
- --version '$(VERSION)' $< \
- $${b}.c $${b}.h; \
+ $(PYTHON) $(top_srcdir)/python/cli-codegen.py $(CLIGEN_ARGS) \
+ $< $${b}.c $${b}.h; \
+ echo "#define optionProcess(a,b,c) process_options(b,c)" >> $${b}.h; \
+ echo "#define STACKCT_OPT OPTS_COUNT" >> $${b}.h; \
+ echo "#define STACKLST_OPT OPTS_ARRAY" >> $${b}.h; \
} && \
touch $@
diff --git a/src/certtool-options.json b/src/certtool-options.json
index 34ecaa7714..147290c5d7 100644
--- a/src/certtool-options.json
+++ b/src/certtool-options.json
@@ -1,579 +1,540 @@
-[
- {
- "meta": {
- "desc": "",
- "prog-name": "certtool",
- "prog-title": "GnuTLS certificate tool",
- "prog-desc": "Manipulate certificates and private keys.",
- "detail": "Tool to parse and generate X.509 certificates, requests and private keys.\nIt can be used interactively or non interactively by\nspecifying the template command line option.\n\nThe tool accepts files or supported URIs via the --infile option. In case PIN\nis required for URI access you can provide it using the environment variables GNUTLS_PIN \nand GNUTLS_SO_PIN.\n",
- "short-usage": "certtool [options]\ncerttool --help for usage instructions.\n",
- "explain": ""
- },
- "options": [
- {
- "long-option": "debug",
- "short-option": "d",
- "arg-min": "0 ",
- "desc": "Enable debugging",
- "arg-max": " 9999",
- "detail": "Specifies the debug level.",
- "arg-type": "number"
- },
- {
- "short-option": "V",
- "max": "NOLIMIT",
- "long-option": "verbose",
- "desc": "More verbose output",
- "disabled": "",
- "detail": ""
- },
- {
- "long-option": "infile",
- "detail": "",
- "arg-type": "file",
- "desc": "Input file",
- "file-exists": "yes"
- },
- {
- "detail": "",
- "arg-type": "string",
- "desc": "Output file",
- "long-option": "outfile"
- }
- ]
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "certtool",
+ "title": "GnuTLS certificate tool",
+ "description": "Manipulate certificates and private keys.",
+ "detail": "Tool to parse and generate X.509 certificates, requests and private keys.\nIt can be used interactively or non interactively by\nspecifying the template command line option.\n\nThe tool accepts files or supported URIs via the --infile option. In case PIN\nis required for URI access you can provide it using the environment variables GNUTLS_PIN \nand GNUTLS_SO_PIN.\n",
+ "short-usage": "certtool [options]\ncerttool --help for usage instructions.\n"
},
- {
- "meta": {
- "id": "cert-options",
- "desc": "Certificate related options"
+ "sections": [
+ {
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "verbose",
+ "short-option": "V",
+ "description": "More verbose output"
+ },
+ {
+ "long-option": "infile",
+ "description": "Input file",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "outfile",
+ "description": "Output file",
+ "argument-type": "string"
+ }
+ ]
},
- "options": [
- {
- "detail": "",
- "desc": "Print information on the given certificate",
- "short-option": "i",
- "long-option": "certificate-info"
- },
- {
- "desc": "Print information on a public key",
- "long-option": "pubkey-info",
- "detail": "The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question."
- },
- {
- "long-option": "generate-self-signed",
- "short-option": "s",
- "desc": "Generate a self-signed certificate",
- "detail": ""
- },
- {
- "short-option": "c",
- "long-option": "generate-certificate",
- "desc": "Generate a signed certificate",
- "detail": ""
- },
- {
- "detail": "",
- "desc": "Generates a proxy certificate",
- "long-option": "generate-proxy"
- },
- {
- "short-option": "u",
- "long-option": "update-certificate",
- "detail": "",
- "desc": "Update a signed certificate"
- },
- {
- "desc": "Print the fingerprint of the given certificate",
- "long-option": "fingerprint",
- "detail": "This is a simple hash of the DER encoding of the certificate. It can be combined with the --hash parameter. However, it is recommended for identification to use the key-id which depends only on the certificate's key."
- },
- {
- "long-option": "key-id",
- "desc": "Print the key ID of the given certificate",
- "detail": "This is a hash of the public key of the given certificate. It identifies the key uniquely, remains the same on a certificate renewal and depends only on signed fields of the certificate."
- },
- {
- "deprecated": "",
- "long-option": "certificate-pubkey",
- "desc": "Print certificate's public key",
- "detail": "This option is deprecated as a duplicate of --pubkey-info"
- },
- {
- "desc": "Generate an X.509 version 1 certificate (with no extensions)",
- "long-option": "v1",
- "detail": ""
- },
- {
- "desc": "Sign a certificate with a specific signature algorithm",
- "arg-type": "string",
- "detail": "This option can be combined with --generate-certificate, to sign the certificate with\na specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be\nspecified when the signer does not have a certificate which is marked for RSA-PSS use only.",
- "long-option": "sign-params"
- }
- ]
- },
- {
- "meta": {
- "desc": "Certificate request related options",
- "id": "crq-options"
+ {
+ "ref": "cert-options",
+ "description": "Certificate related options",
+ "options": [
+ {
+ "long-option": "certificate-info",
+ "short-option": "i",
+ "description": "Print information on the given certificate"
+ },
+ {
+ "long-option": "pubkey-info",
+ "description": "Print information on a public key",
+ "detail": "The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question."
+ },
+ {
+ "long-option": "generate-self-signed",
+ "short-option": "s",
+ "description": "Generate a self-signed certificate"
+ },
+ {
+ "long-option": "generate-certificate",
+ "short-option": "c",
+ "description": "Generate a signed certificate"
+ },
+ {
+ "long-option": "generate-proxy",
+ "description": "Generates a proxy certificate"
+ },
+ {
+ "long-option": "update-certificate",
+ "short-option": "u",
+ "description": "Update a signed certificate"
+ },
+ {
+ "long-option": "fingerprint",
+ "description": "Print the fingerprint of the given certificate",
+ "detail": "This is a simple hash of the DER encoding of the certificate. It can be combined with the --hash parameter. However, it is recommended for identification to use the key-id which depends only on the certificate's key."
+ },
+ {
+ "long-option": "key-id",
+ "description": "Print the key ID of the given certificate",
+ "detail": "This is a hash of the public key of the given certificate. It identifies the key uniquely, remains the same on a certificate renewal and depends only on signed fields of the certificate."
+ },
+ {
+ "long-option": "certificate-pubkey",
+ "description": "Print certificate's public key",
+ "detail": "This option is deprecated as a duplicate of --pubkey-info",
+ "deprecated": true
+ },
+ {
+ "long-option": "v1",
+ "description": "Generate an X.509 version 1 certificate (with no extensions)"
+ },
+ {
+ "long-option": "sign-params",
+ "description": "Sign a certificate with a specific signature algorithm",
+ "detail": "This option can be combined with --generate-certificate, to sign the certificate with\na specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be\nspecified when the signer does not have a certificate which is marked for RSA-PSS use only.",
+ "argument-type": "string"
+ }
+ ]
},
- "options": [
- {
- "detail": "",
- "long-option": "crq-info",
- "desc": "Print information on the given certificate request"
- },
- {
- "detail": "Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey.",
- "conflicts": "infile",
- "long-option": "generate-request",
- "desc": "Generate a PKCS #10 certificate request",
- "short-option": "q"
- },
- {
- "desc": "Do not use extensions in certificate requests",
- "detail": "",
- "long-option": "no-crq-extensions"
- }
- ]
- },
- {
- "meta": {
- "desc": "PKCS#12 file related options",
- "id": "pkcs12-options"
+ {
+ "ref": "crq-options",
+ "description": "Certificate request related options",
+ "options": [
+ {
+ "long-option": "crq-info",
+ "description": "Print information on the given certificate request"
+ },
+ {
+ "long-option": "generate-request",
+ "short-option": "q",
+ "description": "Generate a PKCS #10 certificate request",
+ "detail": "Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey.",
+ "conflicts": [
+ "infile"
+ ]
+ },
+ {
+ "long-option": "no-crq-extensions",
+ "description": "Do not use extensions in certificate requests"
+ }
+ ]
},
- "options": [
- {
- "detail": "This option will dump the contents and print the metadata of the provided PKCS #12 structure.",
- "desc": "Print information on a PKCS #12 structure",
- "long-option": "p12-info"
- },
- {
- "arg-type": "string",
- "desc": "The PKCS #12 friendly name to use",
- "detail": "The name to be used for the primary certificate and private key in a PKCS #12 file.",
- "long-option": "p12-name"
- },
- {
- "detail": "It requires a certificate, a private key and possibly a CA certificate to be specified.",
- "desc": "Generate a PKCS #12 structure",
- "long-option": "to-p12"
- }
- ]
- },
- {
- "meta": {
- "id": "key-options",
- "desc": "Private key related options"
+ {
+ "ref": "pkcs12-options",
+ "description": "PKCS#12 file related options",
+ "options": [
+ {
+ "long-option": "p12-info",
+ "description": "Print information on a PKCS #12 structure",
+ "detail": "This option will dump the contents and print the metadata of the provided PKCS #12 structure."
+ },
+ {
+ "long-option": "p12-name",
+ "description": "The PKCS #12 friendly name to use",
+ "detail": "The name to be used for the primary certificate and private key in a PKCS #12 file.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "to-p12",
+ "description": "Generate a PKCS #12 structure",
+ "detail": "It requires a certificate, a private key and possibly a CA certificate to be specified."
+ }
+ ]
},
- "options": [
- {
- "short-option": "k",
- "long-option": "key-info",
- "detail": "",
- "desc": "Print information on a private key"
- },
- {
- "desc": "Print information on a PKCS #8 structure",
- "detail": "This option will print information about encrypted PKCS #8 structures. That option does not require the decryption of the structure.",
- "long-option": "p8-info"
- },
- {
- "detail": "It requires an RSA-PSS key as input and will output a raw RSA\nkey. This command is necessary for compatibility with applications that\ncannot read RSA-PSS keys.",
- "long-option": "to-rsa",
- "desc": "Convert an RSA-PSS key to raw RSA format"
- },
- {
- "long-option": "generate-privkey",
- "detail": "When generating RSA-PSS private keys, the --hash option will\nrestrict the allowed hash for the key; in the same keys the --salt-size\noption is also acceptable.",
- "desc": "Generate a private key",
- "short-option": "p"
- },
- {
- "arg-type": "string",
- "long-option": "key-type",
- "desc": "Specify the key type to use on key generation",
- "detail": "This option can be combined with --generate-privkey, to specify\nthe key type to be generated. Valid options are, 'rsa', 'rsa-pss', 'dsa', 'ecdsa', 'ed25519, 'ed448', 'x25519', and 'x448'.'.\nWhen combined with certificate generation it can be used to specify an\nRSA-PSS certificate when an RSA key is given."
- },
- {
- "long-option": "bits",
- "desc": "Specify the number of bits for key generation",
- "detail": "",
- "arg-type": "number"
- },
- {
- "detail": "Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.",
- "arg-type": "string",
- "long-option": "curve",
- "desc": "Specify the curve used for EC key generation"
- },
- {
- "detail": "This is alternative to the bits option.",
- "arg-type": "string",
- "long-option": "sec-param",
- "arg-name": "Security parameter",
- "desc": "Specify the security level [low, legacy, medium, high, ultra]"
- },
- {
- "detail": "This needs to be combined with --load-privkey.",
- "desc": "Convert a given key to a PKCS #8 structure",
- "long-option": "to-p8"
- },
- {
- "short-option": "8",
- "long-option": "pkcs8",
- "desc": "Use PKCS #8 format for private keys",
- "detail": ""
- },
- {
- "desc": "Generate a private key or parameters from a seed using a provable method",
- "detail": "This will use the FIPS PUB186-4 algorithms (i.e., Shawe-Taylor) for provable key generation.\nWhen specified the private keys or parameters will be generated from a seed, and can be\nlater validated with --verify-provable-privkey to be correctly generated from the seed. You may\nspecify --seed or allow GnuTLS to generate one (recommended). This option can be combined with\n--generate-privkey or --generate-dh-params.\n\nThat option applies to RSA and DSA keys. On the DSA keys the PQG parameters\nare generated using the seed, and on RSA the two primes.",
- "long-option": "provable"
- },
- {
- "detail": "This will use the FIPS-186-4 algorithms for provable key generation. You may specify --seed or use the seed stored in the private key structure.",
- "long-option": "verify-provable-privkey",
- "desc": "Verify a private key generated from a seed using a provable method"
- },
- {
- "detail": "The seed acts as a security parameter for the private key, and\nthus a seed size which corresponds to the security level of the private key\nshould be provided (e.g., 256-bits seed).",
- "arg-type": "string",
- "desc": "When generating a private key use the given hex-encoded seed",
- "long-option": "seed"
- }
- ]
- },
- {
- "meta": {
- "desc": "CRL related options",
- "id": "crl-options"
+ {
+ "ref": "key-options",
+ "description": "Private key related options",
+ "options": [
+ {
+ "long-option": "key-info",
+ "short-option": "k",
+ "description": "Print information on a private key"
+ },
+ {
+ "long-option": "p8-info",
+ "description": "Print information on a PKCS #8 structure",
+ "detail": "This option will print information about encrypted PKCS #8 structures. That option does not require the decryption of the structure."
+ },
+ {
+ "long-option": "to-rsa",
+ "description": "Convert an RSA-PSS key to raw RSA format",
+ "detail": "It requires an RSA-PSS key as input and will output a raw RSA\nkey. This command is necessary for compatibility with applications that\ncannot read RSA-PSS keys."
+ },
+ {
+ "long-option": "generate-privkey",
+ "short-option": "p",
+ "description": "Generate a private key",
+ "detail": "When generating RSA-PSS private keys, the --hash option will\nrestrict the allowed hash for the key; in the same keys the --salt-size\noption is also acceptable."
+ },
+ {
+ "long-option": "key-type",
+ "description": "Specify the key type to use on key generation",
+ "detail": "This option can be combined with --generate-privkey, to specify\nthe key type to be generated. Valid options are, 'rsa', 'rsa-pss', 'dsa', 'ecdsa', 'ed25519, 'ed448', 'x25519', and 'x448'.'.\nWhen combined with certificate generation it can be used to specify an\nRSA-PSS certificate when an RSA key is given.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "bits",
+ "description": "Specify the number of bits for key generation",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "curve",
+ "description": "Specify the curve used for EC key generation",
+ "detail": "Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "sec-param",
+ "description": "Specify the security level [low, legacy, medium, high, ultra]",
+ "detail": "This is alternative to the bits option.",
+ "argument-type": "string",
+ "argument-name": "Security parameter"
+ },
+ {
+ "long-option": "to-p8",
+ "description": "Convert a given key to a PKCS #8 structure",
+ "detail": "This needs to be combined with --load-privkey."
+ },
+ {
+ "long-option": "pkcs8",
+ "short-option": "8",
+ "description": "Use PKCS #8 format for private keys"
+ },
+ {
+ "long-option": "provable",
+ "description": "Generate a private key or parameters from a seed using a provable method",
+ "detail": "This will use the FIPS PUB186-4 algorithms (i.e., Shawe-Taylor) for provable key generation.\nWhen specified the private keys or parameters will be generated from a seed, and can be\nlater validated with --verify-provable-privkey to be correctly generated from the seed. You may\nspecify --seed or allow GnuTLS to generate one (recommended). This option can be combined with\n--generate-privkey or --generate-dh-params.\n\nThat option applies to RSA and DSA keys. On the DSA keys the PQG parameters\nare generated using the seed, and on RSA the two primes."
+ },
+ {
+ "long-option": "verify-provable-privkey",
+ "description": "Verify a private key generated from a seed using a provable method",
+ "detail": "This will use the FIPS-186-4 algorithms for provable key generation. You may specify --seed or use the seed stored in the private key structure."
+ },
+ {
+ "long-option": "seed",
+ "description": "When generating a private key use the given hex-encoded seed",
+ "detail": "The seed acts as a security parameter for the private key, and\nthus a seed size which corresponds to the security level of the private key\nshould be provided (e.g., 256-bits seed).",
+ "argument-type": "string"
+ }
+ ]
},
- "options": [
- {
- "short-option": "l",
- "desc": "Print information on the given CRL structure",
- "long-option": "crl-info",
- "detail": ""
- },
- {
- "long-option": "generate-crl",
- "detail": "This option generates a Certificate Revocation List. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL).\nTo add new certificates to the CRL use --load-certificate.",
- "desc": "Generate a CRL"
- },
- {
- "requires": "load-ca-certificate",
- "desc": "Verify a Certificate Revocation List using a trusted list",
- "long-option": "verify-crl",
- "detail": "The trusted certificate list must be loaded with --load-ca-certificate."
- }
- ]
- },
- {
- "meta": {
- "desc": "Certificate verification related options",
- "id": "cert-verify-options"
+ {
+ "ref": "crl-options",
+ "description": "CRL related options",
+ "options": [
+ {
+ "long-option": "crl-info",
+ "short-option": "l",
+ "description": "Print information on the given CRL structure"
+ },
+ {
+ "long-option": "generate-crl",
+ "description": "Generate a CRL",
+ "detail": "This option generates a Certificate Revocation List. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL).\nTo add new certificates to the CRL use --load-certificate."
+ },
+ {
+ "long-option": "verify-crl",
+ "description": "Verify a Certificate Revocation List using a trusted list",
+ "detail": "The trusted certificate list must be loaded with --load-ca-certificate.",
+ "requires": [
+ "load-ca-certificate"
+ ]
+ }
+ ]
},
- "options": [
- {
- "long-option": "verify-chain",
- "desc": "Verify a PEM encoded certificate chain",
- "detail": "Verifies the validity of a certificate chain. That is, an ordered set of\ncertificates where each one is the issuer of the previous, and the first is\nthe end-certificate to be validated. In a proper chain the last certificate\nis a self signed one. It can be combined with --verify-purpose or --verify-hostname.",
- "short-option": "e"
- },
- {
- "detail": "The trusted certificate list can be loaded with --load-ca-certificate. If no\ncertificate list is provided, then the system's trusted certificate list is used. Note that\nduring verification multiple paths may be explored. On a successful verification\nthe successful path will be the last one. It can be combined with --verify-purpose or --verify-hostname.",
- "desc": "Verify a PEM encoded certificate (chain) against a trusted set",
- "long-option": "verify"
- },
- {
- "long-option": "verify-hostname",
- "desc": "Specify a hostname to be used for certificate chain verification",
- "arg-type": "string",
- "detail": "This is to be combined with one of the verify certificate options."
- },
- {
- "detail": "This is to be combined with one of the verify certificate options.",
- "long-option": "verify-email",
- "desc": "Specify a email to be used for certificate chain verification",
- "conflicts": "verify-hostname",
- "arg-type": "string"
- },
- {
- "detail": "This object identifier restricts the purpose of the certificates to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate without a purpose set (extended key usage) is valid for any purpose.",
- "long-option": "verify-purpose",
- "arg-type": "string",
- "desc": "Specify a purpose OID to be used for certificate chain verification"
- },
- {
- "long-option": "verify-allow-broken",
- "detail": "This can be combined with --p7-verify, --verify or --verify-chain.",
- "desc": "Allow broken algorithms, such as MD5 for verification"
- },
- {
- "detail": "This option can be used to specify a certificate verification profile. Certificate\n verification profiles correspond to the security level. This should be one of\n 'none', 'very weak', 'low', 'legacy', 'medium', 'high', 'ultra',\n 'future'. Note that by default no profile is applied, unless one is set\n as minimum in the gnutls configuration file.",
- "long-option": "verify-profile",
- "arg-type": "string",
- "desc": "Specify a security level profile to be used for verification"
- }
- ]
- },
- {
- "meta": {
- "desc": "PKCS#7 structure options",
- "id": "pkcs7-options"
+ {
+ "ref": "cert-verify-options",
+ "description": "Certificate verification related options",
+ "options": [
+ {
+ "long-option": "verify-chain",
+ "short-option": "e",
+ "description": "Verify a PEM encoded certificate chain",
+ "detail": "Verifies the validity of a certificate chain. That is, an ordered set of\ncertificates where each one is the issuer of the previous, and the first is\nthe end-certificate to be validated. In a proper chain the last certificate\nis a self signed one. It can be combined with --verify-purpose or --verify-hostname."
+ },
+ {
+ "long-option": "verify",
+ "description": "Verify a PEM encoded certificate (chain) against a trusted set",
+ "detail": "The trusted certificate list can be loaded with --load-ca-certificate. If no\ncertificate list is provided, then the system's trusted certificate list is used. Note that\nduring verification multiple paths may be explored. On a successful verification\nthe successful path will be the last one. It can be combined with --verify-purpose or --verify-hostname."
+ },
+ {
+ "long-option": "verify-hostname",
+ "description": "Specify a hostname to be used for certificate chain verification",
+ "detail": "This is to be combined with one of the verify certificate options.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "verify-email",
+ "description": "Specify a email to be used for certificate chain verification",
+ "detail": "This is to be combined with one of the verify certificate options.",
+ "conflicts": [
+ "verify-hostname"
+ ],
+ "argument-type": "string"
+ },
+ {
+ "long-option": "verify-purpose",
+ "description": "Specify a purpose OID to be used for certificate chain verification",
+ "detail": "This object identifier restricts the purpose of the certificates to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate without a purpose set (extended key usage) is valid for any purpose.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "verify-allow-broken",
+ "description": "Allow broken algorithms, such as MD5 for verification",
+ "detail": "This can be combined with --p7-verify, --verify or --verify-chain."
+ },
+ {
+ "long-option": "verify-profile",
+ "description": "Specify a security level profile to be used for verification",
+ "detail": "This option can be used to specify a certificate verification profile. Certificate\n verification profiles correspond to the security level. This should be one of\n 'none', 'very weak', 'low', 'legacy', 'medium', 'high', 'ultra',\n 'future'. Note that by default no profile is applied, unless one is set\n as minimum in the gnutls configuration file.",
+ "argument-type": "string"
+ }
+ ]
},
- "options": [
- {
- "desc": "Generate a PKCS #7 structure",
- "detail": "This option generates a PKCS #7 certificate container structure. To add certificates in the structure use --load-certificate and --load-crl.",
- "long-option": "p7-generate"
- },
- {
- "long-option": "p7-sign",
- "detail": "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.",
- "desc": "Signs using a PKCS #7 structure"
- },
- {
- "desc": "Signs using a detached PKCS #7 structure",
- "detail": "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.",
- "long-option": "p7-detached-sign"
- },
- {
- "disable-prefix": "no-",
- "long-option": "p7-include-cert",
- "desc": "The signer's certificate will be included in the cert list.",
- "detail": "This options works with --p7-sign or --p7-detached-sign and will include or exclude the signer's certificate into the generated signature.",
- "enabled": ""
- },
- {
- "detail": "This option will include a timestamp in the generated signature",
- "disable-prefix": "no-",
- "disabled": "",
- "desc": "Will include a timestamp in the PKCS #7 structure",
- "long-option": "p7-time"
- },
- {
- "disable-prefix": "no-",
- "disabled": "",
- "desc": "Will show the embedded data in the PKCS #7 structure",
- "long-option": "p7-show-data",
- "detail": "This option can be combined with --p7-verify or --p7-info and will display the embedded signed data in the PKCS #7 structure."
- },
- {
- "long-option": "p7-info",
- "desc": "Print information on a PKCS #7 structure",
- "detail": ""
- },
- {
- "detail": "This option verifies the signed PKCS #7 structure. The certificate list to use for verification can be specified with --load-ca-certificate. When no certificate list is provided, then the system's certificate list is used. Alternatively a direct signer can be provided using --load-certificate. A key purpose can be enforced with the --verify-purpose option, and the --load-data option will utilize detached data.",
- "long-option": "p7-verify",
- "desc": "Verify the provided PKCS #7 structure"
- },
- {
- "long-option": "smime-to-p7",
- "desc": "Convert S/MIME to PKCS #7 structure",
- "detail": ""
- }
- ]
- },
- {
- "meta": {
- "desc": "Other options",
- "id": "other-options"
+ {
+ "ref": "pkcs7-options",
+ "description": "PKCS#7 structure options",
+ "options": [
+ {
+ "long-option": "p7-generate",
+ "description": "Generate a PKCS #7 structure",
+ "detail": "This option generates a PKCS #7 certificate container structure. To add certificates in the structure use --load-certificate and --load-crl."
+ },
+ {
+ "long-option": "p7-sign",
+ "description": "Signs using a PKCS #7 structure",
+ "detail": "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure."
+ },
+ {
+ "long-option": "p7-detached-sign",
+ "description": "Signs using a detached PKCS #7 structure",
+ "detail": "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure."
+ },
+ {
+ "long-option": "p7-include-cert",
+ "description": "The signer's certificate will be included in the cert list",
+ "detail": "This options works with --p7-sign or --p7-detached-sign and will include or exclude the signer's certificate into the generated signature.",
+ "enabled": true,
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "p7-time",
+ "description": "Will include a timestamp in the PKCS #7 structure",
+ "detail": "This option will include a timestamp in the generated signature",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "p7-show-data",
+ "description": "Will show the embedded data in the PKCS #7 structure",
+ "detail": "This option can be combined with --p7-verify or --p7-info and will display the embedded signed data in the PKCS #7 structure.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "p7-info",
+ "description": "Print information on a PKCS #7 structure"
+ },
+ {
+ "long-option": "p7-verify",
+ "description": "Verify the provided PKCS #7 structure",
+ "detail": "This option verifies the signed PKCS #7 structure. The certificate list to use for verification can be specified with --load-ca-certificate. When no certificate list is provided, then the system's certificate list is used. Alternatively a direct signer can be provided using --load-certificate. A key purpose can be enforced with the --verify-purpose option, and the --load-data option will utilize detached data."
+ },
+ {
+ "long-option": "smime-to-p7",
+ "description": "Convert S/MIME to PKCS #7 structure"
+ }
+ ]
},
- "options": [
- {
- "detail": "The will generate random parameters to be used with\nDiffie-Hellman key exchange. The output parameters will be in PKCS #3\nformat. Note that it is recommended to use the --get-dh-params option\ninstead.",
- "desc": "Generate PKCS #3 encoded Diffie-Hellman parameters",
- "deprecated": "",
- "long-option": "generate-dh-params"
- },
- {
- "long-option": "get-dh-params",
- "desc": "List the included PKCS #3 encoded Diffie-Hellman parameters",
- "detail": "Returns stored DH parameters in GnuTLS. Those parameters returned\nare defined in RFC7919, and can be considered standard parameters for a TLS\nkey exchange. This option is provided for old applications which require\nDH parameters to be specified; modern GnuTLS applications should not require\nthem."
- },
- {
- "desc": "Print information PKCS #3 encoded Diffie-Hellman parameters",
- "detail": "",
- "long-option": "dh-info"
- },
- {
- "detail": "This can be either a file or a PKCS #11 URL",
- "long-option": "load-privkey",
- "arg-type": "string",
- "desc": "Loads a private key file"
- },
- {
- "arg-type": "string",
- "desc": "Loads a public key file",
- "detail": "This can be either a file or a PKCS #11 URL",
- "long-option": "load-pubkey"
- },
- {
- "long-option": "load-request",
- "desc": "Loads a certificate request file",
- "detail": "This option can be used with a file",
- "arg-type": "string"
- },
- {
- "arg-type": "string",
- "long-option": "load-certificate",
- "detail": "This option can be used with a file",
- "desc": "Loads a certificate file"
- },
- {
- "desc": "Loads the certificate authority's private key file",
- "arg-type": "string",
- "detail": "This can be either a file or a PKCS #11 URL",
- "long-option": "load-ca-privkey"
- },
- {
- "desc": "Loads the certificate authority's certificate file",
- "detail": "This can be either a file or a PKCS #11 URL",
- "arg-type": "string",
- "long-option": "load-ca-certificate"
- },
- {
- "desc": "Loads the provided CRL",
- "arg-type": "string",
- "long-option": "load-crl",
- "detail": "This option can be used with a file"
- },
- {
- "detail": "This option can be used with a file",
- "desc": "Loads auxiliary data",
- "arg-type": "string",
- "long-option": "load-data"
- },
- {
- "detail": "You can use this option to specify the password in the command line instead of reading it from the tty. Note, that the command line arguments are available for view in others in the system. Specifying password as '' is the same as specifying no password.",
- "arg-type": "string",
- "desc": "Password to use",
- "long-option": "password"
- },
- {
- "desc": "Enforce a NULL password",
- "long-option": "null-password",
- "detail": "This option enforces a NULL password. This is different than the empty or no password in schemas like PKCS #8."
- },
- {
- "detail": "This option enforces an empty password. This is different than the NULL or no password in schemas like PKCS #8.",
- "long-option": "empty-password",
- "desc": "Enforce an empty password"
- },
- {
- "long-option": "hex-numbers",
- "detail": "",
- "desc": "Print big number in an easier format to parse"
- },
- {
- "long-option": "cprint",
- "desc": "In certain operations it prints the information in C-friendly format",
- "detail": "In certain operations it prints the information in C-friendly format, suitable for including into C programs."
- },
- {
- "desc": "Generate RSA key",
- "detail": "When combined with --generate-privkey generates an RSA private key.",
- "long-option": "rsa",
- "description": "This option is equivalent to '--key-type rsa'.",
- "deprecated": ""
- },
- {
- "description": "This option is equivalent to '--key-type dsa'.",
- "deprecated": "",
- "long-option": "dsa",
- "detail": "When combined with --generate-privkey generates a DSA private key.",
- "desc": "Generate DSA key"
- },
- {
- "desc": "Generate ECC (ECDSA) key",
- "description": "This option is equivalent to '--key-type ecdsa'.",
- "long-option": "ecc",
- "detail": "When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA.",
- "deprecated": ""
- },
- {
- "aliases": "ecc",
- "deprecated": "",
- "long-option": "ecdsa"
- },
- {
- "long-option": "hash",
- "detail": "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.",
- "desc": "Hash algorithm to use for signing",
- "arg-type": "string"
- },
- {
- "desc": "Specify the RSA-PSS key default salt size",
- "arg-type": "number",
- "long-option": "salt-size",
- "detail": "Typical keys shouldn't set or restrict this option."
- },
- {
- "desc": "Use DER format for input certificates, private keys, and DH parameters ",
- "detail": "The input files will be assumed to be in DER or RAW format. \nUnlike options that in PEM input would allow multiple input data (e.g. multiple \ncertificates), when reading in DER format a single data structure is read.",
- "disabled": "",
- "disable-prefix": "no-",
- "long-option": "inder"
- },
- {
- "aliases": "inder",
- "long-option": "inraw"
- },
- {
- "long-option": "outder",
- "disabled": "",
- "desc": "Use DER format for output certificates, private keys, and DH parameters",
- "disable-prefix": "no-",
- "detail": "The output will be in DER or RAW format."
- },
- {
- "aliases": "outder",
- "long-option": "outraw"
- },
- {
- "desc": "No effect",
- "long-option": "disable-quick-random",
- "deprecated": "",
- "detail": ""
- },
- {
- "arg-type": "string",
- "long-option": "template",
- "desc": "Template file to use for non-interactive operation",
- "detail": ""
- },
- {
- "long-option": "stdout-info",
- "detail": "",
- "desc": "Print information to stdout instead of stderr"
- },
- {
- "long-option": "ask-pass",
- "disabled": "",
- "desc": "Enable interaction for entering password when in batch mode.",
- "detail": "This option will enable interaction to enter password when in batch mode. That is useful when the template option has been specified."
- },
- {
- "arg-name": "Cipher",
- "detail": "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.",
- "long-option": "pkcs-cipher",
- "desc": "Cipher to use for PKCS #8 and #12 operations",
- "arg-type": "string"
- },
- {
- "arg-type": "string",
- "long-option": "provider",
- "detail": "This will override the default options in /etc/gnutls/pkcs11.conf",
- "desc": "Specify the PKCS #11 provider library"
- },
- {
- "enabled": "",
- "long-option": "text",
- "disable-prefix": "no-",
- "desc": "Output textual information before PEM-encoded certificates, private keys, etc",
- "detail": "Output textual information before PEM-encoded data"
- }
- ]
- }
-] \ No newline at end of file
+ {
+ "ref": "other-options",
+ "description": "Other options",
+ "options": [
+ {
+ "long-option": "generate-dh-params",
+ "description": "Generate PKCS #3 encoded Diffie-Hellman parameters",
+ "detail": "The will generate random parameters to be used with\nDiffie-Hellman key exchange. The output parameters will be in PKCS #3\nformat. Note that it is recommended to use the --get-dh-params option\ninstead.",
+ "deprecated": true
+ },
+ {
+ "long-option": "get-dh-params",
+ "description": "List the included PKCS #3 encoded Diffie-Hellman parameters",
+ "detail": "Returns stored DH parameters in GnuTLS. Those parameters returned\nare defined in RFC7919, and can be considered standard parameters for a TLS\nkey exchange. This option is provided for old applications which require\nDH parameters to be specified; modern GnuTLS applications should not require\nthem."
+ },
+ {
+ "long-option": "dh-info",
+ "description": "Print information PKCS #3 encoded Diffie-Hellman parameters"
+ },
+ {
+ "long-option": "load-privkey",
+ "description": "Loads a private key file",
+ "detail": "This can be either a file or a PKCS #11 URL",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "load-pubkey",
+ "description": "Loads a public key file",
+ "detail": "This can be either a file or a PKCS #11 URL",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "load-request",
+ "description": "Loads a certificate request file",
+ "detail": "This option can be used with a file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "load-certificate",
+ "description": "Loads a certificate file",
+ "detail": "This option can be used with a file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "load-ca-privkey",
+ "description": "Loads the certificate authority's private key file",
+ "detail": "This can be either a file or a PKCS #11 URL",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "load-ca-certificate",
+ "description": "Loads the certificate authority's certificate file",
+ "detail": "This can be either a file or a PKCS #11 URL",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "load-crl",
+ "description": "Loads the provided CRL",
+ "detail": "This option can be used with a file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "load-data",
+ "description": "Loads auxiliary data",
+ "detail": "This option can be used with a file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "password",
+ "description": "Password to use",
+ "detail": "You can use this option to specify the password in the command line instead of reading it from the tty. Note, that the command line arguments are available for view in others in the system. Specifying password as '' is the same as specifying no password.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "null-password",
+ "description": "Enforce a NULL password",
+ "detail": "This option enforces a NULL password. This is different than the empty or no password in schemas like PKCS #8."
+ },
+ {
+ "long-option": "empty-password",
+ "description": "Enforce an empty password",
+ "detail": "This option enforces an empty password. This is different than the NULL or no password in schemas like PKCS #8."
+ },
+ {
+ "long-option": "hex-numbers",
+ "description": "Print big number in an easier format to parse"
+ },
+ {
+ "long-option": "cprint",
+ "description": "In certain operations it prints the information in C-friendly format",
+ "detail": "In certain operations it prints the information in C-friendly format, suitable for including into C programs."
+ },
+ {
+ "long-option": "rsa",
+ "description": "Generate RSA key",
+ "detail": "When combined with --generate-privkey generates an RSA private key.",
+ "deprecated": true
+ },
+ {
+ "long-option": "dsa",
+ "description": "Generate DSA key",
+ "detail": "When combined with --generate-privkey generates a DSA private key.",
+ "deprecated": true
+ },
+ {
+ "long-option": "ecc",
+ "description": "Generate ECC (ECDSA) key",
+ "detail": "When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA.",
+ "deprecated": true
+ },
+ {
+ "long-option": "ecdsa",
+ "deprecated": true,
+ "aliases": "ecc"
+ },
+ {
+ "long-option": "hash",
+ "description": "Hash algorithm to use for signing",
+ "detail": "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "salt-size",
+ "description": "Specify the RSA-PSS key default salt size",
+ "detail": "Typical keys shouldn't set or restrict this option.",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "inder",
+ "description": "Use DER format for input certificates, private keys, and DH parameters ",
+ "detail": "The input files will be assumed to be in DER or RAW format. \nUnlike options that in PEM input would allow multiple input data (e.g. multiple \ncertificates), when reading in DER format a single data structure is read.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "inraw",
+ "aliases": "inder"
+ },
+ {
+ "long-option": "outder",
+ "description": "Use DER format for output certificates, private keys, and DH parameters",
+ "detail": "The output will be in DER or RAW format.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "outraw",
+ "aliases": "outder"
+ },
+ {
+ "long-option": "disable-quick-random",
+ "description": "No effect",
+ "deprecated": true
+ },
+ {
+ "long-option": "template",
+ "description": "Template file to use for non-interactive operation",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "stdout-info",
+ "description": "Print information to stdout instead of stderr"
+ },
+ {
+ "long-option": "ask-pass",
+ "description": "Enable interaction for entering password when in batch mode",
+ "detail": "This option will enable interaction to enter password when in batch mode. That is useful when the template option has been specified."
+ },
+ {
+ "long-option": "pkcs-cipher",
+ "description": "Cipher to use for PKCS #8 and #12 operations",
+ "detail": "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.",
+ "argument-type": "string",
+ "argument-name": "Cipher"
+ },
+ {
+ "long-option": "provider",
+ "description": "Specify the PKCS #11 provider library",
+ "detail": "This will override the default options in /etc/gnutls/pkcs11.conf",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "text",
+ "description": "Output textual information before PEM-encoded certificates, private keys, etc",
+ "detail": "Output textual information before PEM-encoded data",
+ "enabled": true,
+ "disable-prefix": "no-"
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file
diff --git a/src/danetool-options.json b/src/danetool-options.json
index c744498323..6ce9919053 100644
--- a/src/danetool-options.json
+++ b/src/danetool-options.json
@@ -1,171 +1,167 @@
-[
- {
- "meta": {
- "detail": "Tool to generate and check DNS resource records for the DANE protocol.",
- "explain": "",
- "desc": "",
- "prog-title": "GnuTLS DANE tool",
- "prog-desc": "Generate DANE TLSA RR entries.",
- "short-usage": "danetool --[tlsa-rr|check] [options]\ndanetool --help for additional usage instructions.\n",
- "prog-name": "danetool"
- },
- "options": [
- {
- "long-option": "debug",
- "desc": "Enable debugging",
- "short-option": "d",
- "arg-max": " 9999",
- "arg-min": "0 ",
- "arg-type": "number",
- "detail": "Specifies the debug level."
- },
- {
- "desc": "More verbose output",
- "detail": "",
- "long-option": "verbose",
- "short-option": "V",
- "max": "NOLIMIT",
- "disabled": ""
- },
- {
- "detail": "",
- "desc": "Output file",
- "arg-type": "string",
- "long-option": "outfile"
- },
- {
- "desc": "Loads a public key file",
- "long-option": "load-pubkey",
- "detail": "This can be either a file or a PKCS #11 URL",
- "arg-type": "string"
- },
- {
- "desc": "Loads a certificate file",
- "detail": "This can be either a file or a PKCS #11 URL",
- "arg-type": "string",
- "long-option": "load-certificate"
- },
- {
- "arg-type": "string",
- "desc": "Sets a DLV file",
- "detail": "This sets a DLV file to be used for DNSSEC verification.",
- "long-option": "dlv"
- },
- {
- "detail": "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.",
- "arg-type": "string",
- "desc": "Hash algorithm to use for signing",
- "long-option": "hash"
- },
- {
- "arg-type": "string",
- "desc": "Check a host's DANE TLSA entry",
- "detail": "Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host can be provided using --load-certificate, otherwise danetool will connect to the server to obtain it. The exit code on verification success will be zero.",
- "long-option": "check"
- },
- {
- "long-option": "check-ee",
- "desc": "Check only the end-entity's certificate",
- "detail": "Checks the end-entity's certificate only. Trust anchors or CAs are not considered."
- },
- {
- "desc": "Check only the CA's certificate",
- "long-option": "check-ca",
- "detail": "Checks the trust anchor's and CA's certificate only. End-entities are not considered."
- },
- {
- "desc": "Print the DANE RR data on a certificate or public key",
- "requires": "host",
- "long-option": "tlsa-rr",
- "detail": "This command prints the DANE RR data needed to enable DANE on a DNS server."
- },
- {
- "long-option": "host",
- "arg-type": "string",
- "desc": "Specify the hostname to be used in the DANE RR",
- "detail": "This command sets the hostname for the DANE RR.",
- "arg-name": "Hostname"
- },
- {
- "arg-type": "string",
- "arg-name": "Protocol",
- "long-option": "proto",
- "desc": "The protocol set for DANE data (tcp, udp etc.)",
- "detail": "This command specifies the protocol for the service set in the DANE data."
- },
- {
- "default-value": "443",
- "long-option": "port",
- "arg-type": "string",
- "desc": "The port or service to connect to, for DANE data",
- "detail": ""
- },
- {
- "aliases": "starttls-proto",
- "long-option": "app-proto"
- },
- {
- "desc": "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)",
- "detail": "When the server's certificate isn't provided danetool will connect to the server to obtain the certificate. In that case it is required to know the protocol to talk with the server prior to initiating the TLS handshake.",
- "arg-type": "string",
- "long-option": "starttls-proto"
- },
- {
- "long-option": "ca",
- "desc": "Whether the provided certificate or public key is a Certificate Authority",
- "detail": "Marks the DANE RR as a CA certificate if specified."
- },
- {
- "detail": "This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used.",
- "long-option": "x509",
- "desc": "Use the hash of the X.509 certificate, rather than the public key"
- },
- {
- "aliases": "domain",
- "long-option": "local"
- },
- {
- "disable-prefix": "no-",
- "detail": "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved.",
- "long-option": "domain",
- "desc": "The provided certificate or public key is issued by the local domain",
- "enabled": ""
- },
- {
- "disabled": "",
- "detail": "This option will use the local DNS server for DNSSEC.\nThis is disabled by default due to many servers not allowing DNSSEC.",
- "desc": "Use the local DNS server for DNSSEC resolving",
- "long-option": "local-dns",
- "disable-prefix": "no-"
- },
- {
- "long-option": "insecure",
- "detail": "Ignores any DNSSEC signature verification results.",
- "desc": "Do not verify any DNSSEC signature"
- },
- {
- "disable-prefix": "no-",
- "detail": "The input files will be assumed to be in DER or RAW format. \nUnlike options that in PEM input would allow multiple input data (e.g. multiple \ncertificates), when reading in DER format a single data structure is read.",
- "long-option": "inder",
- "desc": "Use DER format for input certificates and private keys",
- "disabled": ""
- },
- {
- "aliases": "inder",
- "long-option": "inraw"
- },
- {
- "desc": "Print the received DANE data in raw format",
- "detail": "This option will print the received DANE data.",
- "long-option": "print-raw",
- "disabled": "",
- "disable-prefix": "no-"
- },
- {
- "desc": "Suppress several informational messages",
- "detail": "In that case on the exit code can be used as an indication of verification success",
- "long-option": "quiet"
- }
- ]
- }
-] \ No newline at end of file
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "danetool",
+ "title": "GnuTLS DANE tool",
+ "description": "Generate DANE TLSA RR entries.",
+ "detail": "Tool to generate and check DNS resource records for the DANE protocol.",
+ "short-usage": "danetool --[tlsa-rr|check] [options]\ndanetool --help for additional usage instructions.\n"
+ },
+ "sections": [
+ {
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "verbose",
+ "short-option": "V",
+ "description": "More verbose output"
+ },
+ {
+ "long-option": "outfile",
+ "description": "Output file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "load-pubkey",
+ "description": "Loads a public key file",
+ "detail": "This can be either a file or a PKCS #11 URL",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "load-certificate",
+ "description": "Loads a certificate file",
+ "detail": "This can be either a file or a PKCS #11 URL",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "dlv",
+ "description": "Sets a DLV file",
+ "detail": "This sets a DLV file to be used for DNSSEC verification.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "hash",
+ "description": "Hash algorithm to use for signing",
+ "detail": "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "check",
+ "description": "Check a host's DANE TLSA entry",
+ "detail": "Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host can be provided using --load-certificate, otherwise danetool will connect to the server to obtain it. The exit code on verification success will be zero.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "check-ee",
+ "description": "Check only the end-entity's certificate",
+ "detail": "Checks the end-entity's certificate only. Trust anchors or CAs are not considered."
+ },
+ {
+ "long-option": "check-ca",
+ "description": "Check only the CA's certificate",
+ "detail": "Checks the trust anchor's and CA's certificate only. End-entities are not considered."
+ },
+ {
+ "long-option": "tlsa-rr",
+ "description": "Print the DANE RR data on a certificate or public key",
+ "detail": "This command prints the DANE RR data needed to enable DANE on a DNS server.",
+ "requires": [
+ "host"
+ ]
+ },
+ {
+ "long-option": "host",
+ "description": "Specify the hostname to be used in the DANE RR",
+ "detail": "This command sets the hostname for the DANE RR.",
+ "argument-type": "string",
+ "argument-name": "Hostname"
+ },
+ {
+ "long-option": "proto",
+ "description": "The protocol set for DANE data (tcp, udp etc.)",
+ "detail": "This command specifies the protocol for the service set in the DANE data.",
+ "argument-type": "string",
+ "argument-name": "Protocol"
+ },
+ {
+ "long-option": "port",
+ "description": "The port or service to connect to, for DANE data",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "app-proto",
+ "aliases": "starttls-proto"
+ },
+ {
+ "long-option": "starttls-proto",
+ "description": "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)",
+ "detail": "When the server's certificate isn't provided danetool will connect to the server to obtain the certificate. In that case it is required to know the protocol to talk with the server prior to initiating the TLS handshake.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "ca",
+ "description": "Whether the provided certificate or public key is a Certificate Authority",
+ "detail": "Marks the DANE RR as a CA certificate if specified."
+ },
+ {
+ "long-option": "x509",
+ "description": "Use the hash of the X.509 certificate, rather than the public key",
+ "detail": "This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used."
+ },
+ {
+ "long-option": "local",
+ "aliases": "domain"
+ },
+ {
+ "long-option": "domain",
+ "description": "The provided certificate or public key is issued by the local domain",
+ "detail": "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved.",
+ "enabled": true,
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "local-dns",
+ "description": "Use the local DNS server for DNSSEC resolving",
+ "detail": "This option will use the local DNS server for DNSSEC.\nThis is disabled by default due to many servers not allowing DNSSEC.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "insecure",
+ "description": "Do not verify any DNSSEC signature",
+ "detail": "Ignores any DNSSEC signature verification results."
+ },
+ {
+ "long-option": "inder",
+ "description": "Use DER format for input certificates and private keys",
+ "detail": "The input files will be assumed to be in DER or RAW format. \nUnlike options that in PEM input would allow multiple input data (e.g. multiple \ncertificates), when reading in DER format a single data structure is read.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "inraw",
+ "aliases": "inder"
+ },
+ {
+ "long-option": "print-raw",
+ "description": "Print the received DANE data in raw format",
+ "detail": "This option will print the received DANE data.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "quiet",
+ "description": "Suppress several informational messages",
+ "detail": "In that case on the exit code can be used as an indication of verification success"
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file
diff --git a/src/gen-getopt.py b/src/gen-getopt.py
deleted file mode 100644
index 1ee4651f8e..0000000000
--- a/src/gen-getopt.py
+++ /dev/null
@@ -1,674 +0,0 @@
-#!/usr/bin/python
-# Copyright (C) 2021 Daiki Ueno
-
-# This file is part of GnuTLS.
-
-# GnuTLS is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-
-# GnuTLS is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see
-# <https://www.gnu.org/licenses/>.
-
-from typing import Mapping, MutableMapping, MutableSequence, Sequence
-from typing import TextIO, Union
-import io
-import os.path
-import jsonopts
-import sys
-
-INDENT = ' '
-
-
-def get_aliases(options) -> Mapping[str, Sequence[str]]:
- aliases: MutableMapping[str, MutableSequence[str]] = dict()
- for option in options:
- long_opt = option['long-option']
- key = option.get('aliases')
- if key:
- val = aliases.get(key, list())
- val.append(long_opt)
- aliases[key] = val
- return aliases
-
-
-def get_chars(options) -> Mapping[str, Union[str, int]]:
- chars = dict()
- chars_counter = 1
- short_opts: MutableMapping[str, str] = dict()
- for option in options:
- long_opt = option['long-option']
- short_opt = option.get('short-option')
- # If the short option is already taken, do not register twice
- if short_opt and short_opt in short_opts:
- print((f'short option {short_opt} for {long_opt} is already '
- f'taken by {short_opts[short_opt]}'),
- file=sys.stderr)
- short_opt = None
- if short_opt:
- chars[long_opt] = short_opt
- short_opts[short_opt] = long_opt
- else:
- chars[long_opt] = chars_counter
- chars_counter += 1
- disable_prefix = option.get('disable-prefix')
- if disable_prefix:
- chars[f'{disable_prefix}{long_opt}'] = chars_counter
- chars_counter += 1
- return chars
-
-
-# Reserved keywords in C, from 6.4.1 of N1570
-KEYWORDS = {
- 'auto', 'break', 'case', 'char', 'const', 'continue', 'default', 'do',
- 'double', 'else', 'enum', 'extern', 'float', 'for', 'goto', 'if', 'inline',
- 'int', 'long', 'register', 'restrict', 'return', 'short', 'signed',
- 'sizeof', 'static', 'struct', 'switch', 'typedef', 'union', 'unsigned',
- 'void', 'volatile', 'while', '_Alignas', '_Alignof', '_Atomic', '_Bool',
- '_Complex', '_Generic', '_Imaginary', '_Noreturn', '_Static_assert',
- '_Thread_local',
-}
-
-
-def escape_c_keyword(name: str) -> str:
- while name in KEYWORDS:
- name += '_'
- return name
-
-
-def mangle(name: str) -> str:
- return ''.join([c if c in 'abcdefghijklmnopqrstuvwxyz0123456789_' else '_'
- for c in name.lower()])
-
-
-def format_long_opt(c: Union[str, int], long_opt: str, has_arg: str) -> str:
- if isinstance(c, str):
- return f"{INDENT}{{ \"{long_opt}\", {has_arg}, 0, '{c}' }},\n"
- else:
- return f'{INDENT}{{ "{long_opt}", {has_arg}, 0, CHAR_MAX + {c} }},\n'
-
-
-def format_switch_case(c: Union[str, int], long_opt: str) -> str:
- if isinstance(c, str):
- return f"{INDENT*3}case '{c}':\n"
- else:
- return f'{INDENT*3}case CHAR_MAX + {c}: /* --{long_opt} */\n'
-
-
-def gen_c(meta: Mapping[str, str],
- options: Sequence[Mapping[str, str]],
- aliases: Mapping[str, Sequence[str]],
- usage: str,
- outfile: TextIO):
- long_opts = io.StringIO()
- short_opts = list()
- switch_cases = io.StringIO()
- enable_statements = io.StringIO()
- constraint_statements = io.StringIO()
- has_list_arg = False
- has_number_arg = False
-
- chars = get_chars(options)
-
- prog_name = meta['prog-name']
- struct_name = f'{mangle(prog_name)}_opts'
- global_name = f'{mangle(prog_name)}Options'
-
- switch_cases.write(f"{INDENT*3}case '\\0': /* Long option. */\n")
- switch_cases.write(f'{INDENT*4}break;\n')
-
- for option in options:
- long_opt = option['long-option']
- arg_type = option.get('arg-type')
- lower_opt = mangle(long_opt)
- upper_opt = lower_opt.upper()
- lower_opt = escape_c_keyword(lower_opt)
-
- # aliases are handled differently
- if 'aliases' in option:
- continue
-
- if arg_type:
- if 'arg-optional' in option:
- has_arg = 'optional_argument'
- else:
- has_arg = 'required_argument'
- else:
- has_arg = 'no_argument'
-
- c = chars[long_opt]
-
- if isinstance(c, str):
- if arg_type:
- short_opts.append(c + ':')
- else:
- short_opts.append(c)
-
- long_opts.write(format_long_opt(c, long_opt, has_arg))
- switch_cases.write(format_switch_case(c, long_opt))
-
- for alias in aliases.get(long_opt, list()):
- c = chars[alias]
- long_opts.write(format_long_opt(c, alias, has_arg))
- switch_cases.write(format_switch_case(c, alias))
-
- switch_cases.write(f'{INDENT*4}opts->present.{lower_opt} = true;\n')
-
- if arg_type:
- if 'stack-arg' in option:
- has_list_arg = True
- switch_cases.write((
- f'{INDENT*4}append_to_list (&opts->list.{lower_opt}, '
- f'"{long_opt}", optarg);\n'
- ))
- else:
- switch_cases.write(
- f'{INDENT*4}opts->arg.{lower_opt} = optarg;\n'
- )
- if arg_type == 'number':
- has_number_arg = True
- switch_cases.write((
- f'{INDENT*4}opts->value.{lower_opt} = '
- 'parse_number(optarg);\n'
- ))
- if 'enabled' in option or 'disabled' in option:
- switch_cases.write(
- f'{INDENT*4}opts->enabled.{lower_opt} = true;\n'
- )
-
- switch_cases.write(f'{INDENT*4}break;\n')
-
- if 'enabled' in option:
- enable_statements.write(
- f'{INDENT}opts->enabled.{lower_opt} = true;\n'
- )
- disable_prefix = option.get('disable-prefix')
- if disable_prefix:
- disable_opt = f'{disable_prefix}{long_opt}'
- c = chars[disable_opt]
- long_opts.write(format_long_opt(c, disable_opt, has_arg))
- switch_cases.write(format_switch_case(c, disable_opt))
- switch_cases.write(
- f'{INDENT*4}opts->present.{lower_opt} = true;\n'
- )
- switch_cases.write(
- f'{INDENT*4}opts->enabled.{lower_opt} = false;\n'
- )
- switch_cases.write(f'{INDENT*4}break;\n')
-
- conflict_opts = option.get('conflicts', '').split()
- for conflict_opt in conflict_opts:
- constraint_statements.write(f'''\
-{INDENT}if (HAVE_OPT({upper_opt}) && HAVE_OPT({mangle(conflict_opt).upper()}))
-{INDENT*2}{{
-{INDENT*3}error (EXIT_FAILURE, 0, "the '%s' and '%s' options conflict",
-{INDENT*3} "{long_opt}", "{mangle(conflict_opt)}");
-{INDENT*2}}}
-''')
- require_opts = option.get('requires', '').split()
- for require_opt in require_opts:
- constraint_statements.write(f'''\
-{INDENT}if (HAVE_OPT({upper_opt}) && !HAVE_OPT({mangle(require_opt).upper()}))
-{INDENT*2}{{
-{INDENT*3}error (EXIT_FAILURE, 0, "%s option requires the %s options",
-{INDENT*3} "{long_opt}", "{mangle(require_opt)}");
-{INDENT*2}}}
-''')
- arg_min = option.get('arg-min')
- if arg_min:
- constraint_statements.write(f'''\
-{INDENT}if (HAVE_OPT({upper_opt}) && OPT_VALUE_{upper_opt} < {int(arg_min)})
-{INDENT*2}{{
-{INDENT*3}error (EXIT_FAILURE, 0, "%s option value %d is out of range.",
-{INDENT*3} "{long_opt}", opts->value.{lower_opt});
-{INDENT*2}}}
-''')
- arg_max = option.get('arg-max')
- if arg_max:
- constraint_statements.write(f'''\
-{INDENT}if (HAVE_OPT({upper_opt}) && OPT_VALUE_{upper_opt} > {int(arg_max)})
-{INDENT*2}{{
-{INDENT*3}error (EXIT_FAILURE, 0, "%s option value %d is out of range",
-{INDENT*3} "{long_opt}", opts->value.{lower_opt});
-{INDENT*2}}}
-''')
-
- long_opts.write(f'{INDENT}{{ 0, 0, 0, 0 }}\n')
-
- switch_cases.write(f'{INDENT*3}default:\n')
- switch_cases.write(f'{INDENT*4}usage (stderr, EXIT_FAILURE);\n')
- switch_cases.write(f'{INDENT*4}break;\n')
-
- argument = meta.get('argument')
- if argument:
- if argument.startswith('[') and argument.endswith(']'):
- argument = argument[1:-1]
- argument_statement = ''
- else:
- argument_statement = f'''\
-{INDENT}if (optind == argc)
-{INDENT*2}{{
-{INDENT*3}error (EXIT_FAILURE, 0, "Command line arguments required");
-{INDENT*2}}}
-'''
- else:
- argument_statement = f'''\
-{INDENT}if (optind < argc)
-{INDENT*2}{{
-{INDENT*3}error (EXIT_FAILURE, 0, "Command line arguments are not allowed.");
-{INDENT*2}}}
-'''
-
- short_opts_concatenated = ''.join(sorted(short_opts))
- usage_stringified = '\n'.join([
- f'{INDENT*2}"{line}\\n"' for line in usage.split('\n')
- ])
- brief_version = jsonopts.version(meta, 'v')
- version = jsonopts.version(meta, 'c')
- full_version = jsonopts.version(meta, 'n')
- brief_version_stringified = '\n'.join([
- f'{INDENT*6}"{line}\\n"' for line in brief_version.split('\n')
- ])
- version_stringified = '\n'.join([
- f'{INDENT*6}"{line}\\n"' for line in version.split('\n')
- ])
- full_version_stringified = '\n'.join([
- f'{INDENT*6}"{line}\\n"' for line in full_version.split('\n')
- ])
-
- outfile.write(f'''\
-/* This file is auto-generated from {meta['infile']}; do not edit */
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "{meta['header']}"
-#include <errno.h>
-#include <error.h>
-#include <getopt.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <string.h>
-#ifndef _WIN32
-#include <unistd.h>
-#endif /* !_WIN32 */
-#include "xsize.h"
-
-struct {struct_name} {global_name};
-
-''')
-
- if has_list_arg:
- outfile.write(f'''\
-static void
-append_to_list (struct {mangle(prog_name)}_list *list,
- const char *name, const char *arg)
-{{
-{INDENT}const char **tmp;
-{INDENT}size_t new_count = xsum (list->count, 1);
-
-{INDENT}if (size_overflow_p (new_count))
-{INDENT*2}error (EXIT_FAILURE, 0, "too many arguments for %s",
-{INDENT*2} name);
-
-{INDENT}tmp = reallocarray (list->args, new_count, sizeof (char *));
-{INDENT}if (!tmp)
-{INDENT*2}error (EXIT_FAILURE, 0, "unable to allocate memory for %s",
-{INDENT*2} name);
-
-{INDENT}list->args = tmp;
-{INDENT}list->args[list->count] = optarg;
-{INDENT}list->count = new_count;
-}}
-
-''')
-
- if has_number_arg:
- outfile.write(f'''\
-static long
-parse_number (const char *arg)
-{{
-{INDENT}char *endptr = NULL;
-{INDENT}errno = 0;
-{INDENT}long result;
-
-{INDENT}if (strncmp (arg, "0x", 2) == 0)
-{INDENT*2}result = strtol (arg + 2, &endptr, 16);
-{INDENT}else if (strncmp (arg, "0", 1) == 0
-{INDENT} && strspn (arg, "012345678") == strlen (optarg))
-{INDENT*2}result = strtol (arg + 1, &endptr, 8);
-{INDENT}else
-{INDENT*2}result = strtol (arg, &endptr, 10);
-
-{INDENT}if (errno != 0 || (endptr && *endptr != '\\0'))
-{INDENT*2}error (EXIT_FAILURE, errno, "'%s' is not a recognizable number.",
-{INDENT*2} arg);
-
-{INDENT}return result;
-}}
-
-''')
-
- outfile.write(f'''\
-/* Long options. */
-static const struct option long_options[] =
-{{
-{long_opts.getvalue()}
-}};
-
-int
-optionProcess (struct {struct_name} *opts, int argc, char **argv)
-{{
-{INDENT}int opt;
-
-{enable_statements.getvalue().rstrip()}
-{INDENT}while ((opt = getopt_long (argc, argv, "{short_opts_concatenated}",
-{INDENT} long_options, NULL)) != EOF)
-{INDENT*2}switch (opt)
-{INDENT*3}{{
-{switch_cases.getvalue().rstrip()}
-{INDENT*3}}}
-
-{constraint_statements.getvalue().rstrip()}
-{argument_statement}
-
-{INDENT}if (HAVE_OPT(HELP))
-{INDENT*2}{{
-{INDENT*3}USAGE(0);
-{INDENT*2}}}
-
-{INDENT}if (HAVE_OPT(MORE_HELP))
-#ifdef _WIN32
-{INDENT*2}{{
-{INDENT*3}USAGE(0);
-{INDENT*2}}}
-#else /* _WIN32 */
-{INDENT*2}{{
-{INDENT*3}pid_t pid;
-{INDENT*3}int pfds[2];
-
-{INDENT*3}if (pipe (pfds) < 0)
-{INDENT*4}error (EXIT_FAILURE, errno, "pipe");
-
-{INDENT*3}pid = fork ();
-{INDENT*3}if (pid < 0)
-{INDENT*4}error (EXIT_FAILURE, errno, "fork");
-
-{INDENT*3}if (pid == 0)
-{INDENT*4}{{
-{INDENT*5}close (pfds[0]);
-{INDENT*5}dup2 (pfds[1], STDOUT_FILENO);
-{INDENT*5}close (pfds[1]);
-
-{INDENT*5}usage (stdout, 0);
-{INDENT*4}}}
-{INDENT*3}else
-{INDENT*4}{{
-{INDENT*5}const char *args[2];
-{INDENT*5}const char *envvar;
-
-{INDENT*5}close (pfds[1]);
-{INDENT*5}dup2 (pfds[0], STDIN_FILENO);
-{INDENT*5}close (pfds[0]);
-
-{INDENT*5}envvar = secure_getenv ("PAGER");
-{INDENT*5}if (!envvar || *envvar == '\\0')
-{INDENT*6}args[0] = "more";
-{INDENT*5}else
-{INDENT*6}args[0] = envvar;
-
-{INDENT*5}args[1] = NULL;
-
-{INDENT*5}execvp (args[0], (char * const *)args);
-
-{INDENT*5}exit (EXIT_FAILURE);
-{INDENT*4}}}
-{INDENT*2}}}
-#endif /* !_WIN32 */
-
-{INDENT}if (HAVE_OPT(VERSION))
-{INDENT*2}{{
-{INDENT*3}if (!OPT_ARG_VERSION || !strcmp (OPT_ARG_VERSION, "c"))
-{INDENT*4}{{
-{INDENT*5}const char str[] =
-{version_stringified};
-{INDENT*5}fprintf (stdout, "%s", str);
-{INDENT*5}exit(0);
-{INDENT*4}}}
-{INDENT*3}else if (!strcmp (OPT_ARG_VERSION, "v"))
-{INDENT*4}{{
-{INDENT*5}const char str[] =
-{brief_version_stringified};
-{INDENT*5}fprintf (stdout, "%s", str);
-{INDENT*5}exit(0);
-{INDENT*4}}}
-{INDENT*3}else if (!strcmp (OPT_ARG_VERSION, "n"))
-{INDENT*4}{{
-{INDENT*5}const char str[] =
-{full_version_stringified};
-{INDENT*5}fprintf (stdout, "%s", str);
-{INDENT*5}exit(0);
-{INDENT*4}}}
-{INDENT*3}else
-{INDENT*4}{{
-{INDENT*5}error (EXIT_FAILURE, 0,
-{INDENT*5} "version option argument 'a' invalid. Use:\\n"
-{INDENT*5} " 'v' - version only\\n"
-{INDENT*5} " 'c' - version and copyright\\n"
-{INDENT*5} " 'n' - version and full copyright notice");
-{INDENT*4}}}
-{INDENT*2}}}
-
-{INDENT}return optind;
-}}
-
-void
-usage (FILE *out, int status)
-{{
-{INDENT}const char str[] =
-{usage_stringified};
-{INDENT}fprintf (out, "%s", str);
-{INDENT}exit (status);
-}}
-''')
-
-
-def gen_h(meta: Mapping[str, str],
- options: Sequence[Mapping[str, str]],
- aliases: Mapping[str, Sequence[str]],
- outfile: TextIO):
- struct_members_present = io.StringIO()
- struct_members_arg = io.StringIO()
- struct_members_value = io.StringIO()
- struct_members_enabled = io.StringIO()
- struct_members_list = io.StringIO()
- have_opts = io.StringIO()
- opt_args = io.StringIO()
- opt_values = io.StringIO()
- enabled_opts = io.StringIO()
- stackct_opts = io.StringIO()
- stacklst_opts = io.StringIO()
-
- prog_name = meta['prog-name']
- struct_name = f'{mangle(prog_name)}_opts'
- global_name = f'{mangle(prog_name)}Options'
- list_struct_name = f'{mangle(prog_name)}_list'
-
- for option in options:
- long_opt = option['long-option']
- arg_type = option.get('arg-type')
- lower_opt = mangle(long_opt)
- upper_opt = lower_opt.upper()
- lower_opt = escape_c_keyword(lower_opt)
-
- # aliases are handled differently
- if 'aliases' in option:
- continue
-
- struct_members_present.write(f'{INDENT*2}bool {lower_opt};\n')
-
- if arg_type:
- if 'stack-arg' in option:
- struct_members_list.write(
- f'{INDENT*2}struct {list_struct_name} {lower_opt};\n'
- )
- stackct_opts.write((
- f'#define STACKCT_OPT_{upper_opt} '
- f'{global_name}.list.{lower_opt}.count\n'
- ))
- stacklst_opts.write((
- f'#define STACKLST_OPT_{upper_opt} '
- f'{global_name}.list.{lower_opt}.args\n'
- ))
- else:
- struct_members_arg.write(
- f'{INDENT*2}const char *{lower_opt};\n'
- )
- if arg_type == 'number':
- struct_members_value.write(f'{INDENT*2}int {lower_opt};\n')
- opt_values.write((
- f'#define OPT_VALUE_{upper_opt} '
- f'{global_name}.value.{lower_opt}\n'
- ))
-
- if 'enabled' in option or 'disabled' in option:
- struct_members_enabled.write(f'{INDENT*2}bool {lower_opt};\n')
- enabled_opts.write((
- f'#define ENABLED_OPT_{upper_opt} '
- f'{global_name}.enabled.{lower_opt}\n'
- ))
-
- have_opts.write((
- f'#define HAVE_OPT_{upper_opt} '
- f'{global_name}.present.{lower_opt}\n'
- ))
- opt_args.write((
- f'#define OPT_ARG_{upper_opt} '
- f'{global_name}.arg.{lower_opt}\n'
- ))
-
- header_guard = f'{mangle(meta["header"]).upper()}_'
-
- outfile.write(f'''\
-/* This file is auto-generated from {meta["infile"]}; do not edit */
-#include <stdbool.h>
-#include <stdio.h>
-
-#ifndef {header_guard}
-#define {header_guard} 1
-
-struct {list_struct_name}
-{{
-{INDENT}const char **args;
-{INDENT}unsigned int count;
-}};
-
-struct {struct_name}
-{{
-{INDENT}/* Options present in the command line */
-{INDENT}struct
-{INDENT}{{
-{struct_members_present.getvalue().rstrip()}
-{INDENT}}} present;
-
-{INDENT}/* Option arguments in raw string form */
-{INDENT}struct
-{INDENT}{{
-{struct_members_arg.getvalue().rstrip()}
-{INDENT}}} arg;
-
-{INDENT}/* Option arguments parsed as integer */
-{INDENT}struct
-{INDENT}{{
-{struct_members_value.getvalue().rstrip()}
-{INDENT}}} value;
-
-{INDENT}/* Option arguments parsed as list */
-{INDENT}struct
-{INDENT}{{
-{struct_members_list.getvalue().rstrip()}
-{INDENT}}} list;
-
-{INDENT}/* Option enablement status */
-{INDENT}struct
-{INDENT}{{
-{struct_members_enabled.getvalue().rstrip()}
-{INDENT}}} enabled;
-}};
-
-#define HAVE_OPT(name) HAVE_OPT_ ## name
-#define OPT_ARG(name) OPT_ARG_ ## name
-#define ENABLED_OPT(name) ENABLED_OPT_ ## name
-#define STACKCT_OPT(name) STACKCT_OPT_ ## name
-#define STACKLST_OPT(name) STACKLST_OPT_ ## name
-#define USAGE(status) usage (stdout, (status))
-
-{have_opts.getvalue()}
-{opt_args.getvalue()}
-{opt_values.getvalue()}
-{enabled_opts.getvalue()}
-{stackct_opts.getvalue()}
-{stacklst_opts.getvalue()}
-
-extern struct {struct_name} {global_name};
-int optionProcess(struct {struct_name} *opts, int argc, char **argv);
-void usage (FILE *out, int status);
-
-#endif /* {header_guard} */
-''')
-
-
-def gen(infile: TextIO, meta: Mapping[str, str], c: TextIO, h: TextIO):
- sections = [jsonopts.Section.from_json(section)
- for section in json.load(args.json)]
- sections.append(jsonopts.Section.default())
- meta = {
- **meta,
- **sections[0].meta,
- **{
- 'header': os.path.basename(h.name),
- 'infile': os.path.basename(infile.name)
- }
- }
- options = [option for section in sections for option in section.options]
- aliases = get_aliases(options)
- usage = jsonopts.usage(meta, sections)
- gen_c(meta, options, aliases, usage, c)
- gen_h(meta, options, aliases, h)
-
-
-if __name__ == '__main__':
- import argparse
- import json
-
- parser = argparse.ArgumentParser(description='generate getopt wrapper')
- parser.add_argument('json', type=argparse.FileType('r'))
- parser.add_argument('c', type=argparse.FileType('w'))
- parser.add_argument('h', type=argparse.FileType('w'))
- parser.add_argument('--bug-email', help='bug report email address')
- parser.add_argument('--copyright-year', help='copyright year')
- parser.add_argument('--copyright-holder', help='copyright holder')
- parser.add_argument('--license', help='license')
- parser.add_argument('--version', help='version')
-
- args = parser.parse_args()
- meta = dict()
- if args.bug_email:
- meta['bug-email'] = args.bug_email
- if args.copyright_year:
- meta['copyright-year'] = args.copyright_year
- if args.copyright_holder:
- meta['copyright-holder'] = args.copyright_holder
- if args.license:
- meta['license'] = args.license
- if args.version:
- meta['version'] = args.version
-
- gen(args.json, meta, args.c, args.h)
diff --git a/src/gnutls-cli-debug-options.json b/src/gnutls-cli-debug-options.json
index 5c286577f8..04f74c61a7 100644
--- a/src/gnutls-cli-debug-options.json
+++ b/src/gnutls-cli-debug-options.json
@@ -1,53 +1,54 @@
-[
- {
- "meta": {
- "argument": "[hostname]",
- "reorder-args": "",
- "explain": "",
- "prog-title": "GnuTLS debug client",
- "short-usage": "Usage: gnutls-cli-debug [options] hostname\ngnutls-cli --help for usage instructions.\n",
- "detail": "TLS debug client. It sets up multiple TLS connections to \na server and queries its capabilities. It was created to assist in debugging \nGnuTLS, but it might be useful to extract a TLS server's capabilities.\nIt connects to a TLS server, performs tests and print the server's \ncapabilities. If called with the `-V' parameter more checks will be performed.\nCan be used to check for servers with special needs or bugs.",
- "prog-desc": "Simple client program to check TLS server capabilities.",
- "prog-name": "gnutls-cli-debug",
- "desc": ""
- },
- "options": [
- {
- "short-option": "d",
- "detail": "Specifies the debug level.",
- "arg-max": " 9999",
- "arg-type": "number",
- "arg-min": "0 ",
- "long-option": "debug",
- "desc": "Enable debugging"
- },
- {
- "max": "NOLIMIT",
- "disabled": "",
- "desc": "More verbose output",
- "short-option": "V",
- "long-option": "verbose",
- "detail": ""
- },
- {
- "short-option": "p",
- "long-option": "port",
- "arg-min": "0 ",
- "desc": "The port to connect to",
- "arg-max": " 65536",
- "arg-type": "number",
- "detail": ""
- },
- {
- "aliases": "starttls-proto",
- "long-option": "app-proto"
- },
- {
- "detail": "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.",
- "arg-type": "string",
- "desc": "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)",
- "long-option": "starttls-proto"
- }
- ]
- }
-] \ No newline at end of file
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "gnutls-cli-debug",
+ "title": "GnuTLS debug client",
+ "description": "Simple client program to check TLS server capabilities.",
+ "detail": "TLS debug client. It sets up multiple TLS connections to \na server and queries its capabilities. It was created to assist in debugging \nGnuTLS, but it might be useful to extract a TLS server's capabilities.\nIt connects to a TLS server, performs tests and print the server's \ncapabilities. If called with the `-V' parameter more checks will be performed.\nCan be used to check for servers with special needs or bugs.",
+ "short-usage": "Usage: gnutls-cli-debug [options] hostname\ngnutls-cli --help for usage instructions.\n",
+ "argument": "[hostname]",
+ "reorder-arguments": true
+ },
+ "sections": [
+ {
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "verbose",
+ "short-option": "V",
+ "description": "More verbose output"
+ },
+ {
+ "long-option": "port",
+ "short-option": "p",
+ "description": "The port to connect to",
+ "argument-range": {
+ "min": 0,
+ "max": 65536
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "app-proto",
+ "aliases": "starttls-proto"
+ },
+ {
+ "long-option": "starttls-proto",
+ "description": "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)",
+ "detail": "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.",
+ "argument-type": "string"
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file
diff --git a/src/gnutls-cli-options.json b/src/gnutls-cli-options.json
index c7b8ef2e01..6a6eea1651 100644
--- a/src/gnutls-cli-options.json
+++ b/src/gnutls-cli-options.json
@@ -1,432 +1,410 @@
-[
- {
- "meta": {
- "detail": "Simple client program to set up a TLS connection to some other computer. \nIt sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.",
- "prog-desc": "Simple client program to set up a TLS connection.",
- "explain": "",
- "short-usage": "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n",
- "reorder-args": "",
- "prog-name": "gnutls-cli",
- "desc": "",
- "argument": "[hostname]",
- "prog-title": "GnuTLS client"
- },
- "options": [
- {
- "short-option": "d",
- "desc": "Enable debugging",
- "arg-type": "number",
- "arg-min": "0 ",
- "arg-max": " 9999",
- "detail": "Specifies the debug level.",
- "long-option": "debug"
- },
- {
- "disabled": "",
- "long-option": "verbose",
- "detail": "",
- "desc": "More verbose output",
- "short-option": "V",
- "max": "NOLIMIT"
- },
- {
- "detail": "This option will, in addition to certificate authentication, perform authentication\nbased on previously seen public keys, a model similar to SSH authentication. Note that when tofu \nis specified (PKI) and DANE authentication will become advisory to assist the public key acceptance\nprocess.",
- "disabled": "",
- "desc": "Enable trust on first use authentication",
- "disable-prefix": "no-",
- "long-option": "tofu"
- },
- {
- "detail": "This option will perform authentication as with option --tofu; however, no questions shall be asked whatsoever, neither to accept an unknown certificate nor a changed one.",
- "desc": "Fail to connect if a certificate is unknown or a known certificate has changed",
- "long-option": "strict-tofu",
- "disabled": "",
- "disable-prefix": "no-"
- },
- {
- "detail": "This option will, in addition to certificate authentication using \nthe trusted CAs, verify the server certificates using on the DANE information\navailable via DNSSEC.",
- "desc": "Enable DANE certificate verification (DNSSEC)",
- "disabled": "",
- "disable-prefix": "no-",
- "long-option": "dane"
- },
- {
- "disable-prefix": "no-",
- "detail": "This option will use the local DNS server for DNSSEC.\nThis is disabled by default due to many servers not allowing DNSSEC.",
- "desc": "Use the local DNS server for DNSSEC resolving",
- "long-option": "local-dns",
- "disabled": ""
- },
- {
- "desc": "Enable CA certificate verification",
- "detail": "This option can be used to enable or disable CA certificate verification. It is to be used with the --dane or --tofu options.",
- "disable-prefix": "no-",
- "enabled": "",
- "long-option": "ca-verification"
- },
- {
- "desc": "Enable OCSP certificate verification",
- "detail": "This option will enable verification of the peer's certificate using ocsp",
- "disable-prefix": "no-",
- "long-option": "ocsp",
- "disabled": ""
- },
- {
- "detail": "Connect, establish a session, reconnect and resume.",
- "desc": "Establish a session and resume",
- "short-option": "r",
- "long-option": "resume"
- },
- {
- "desc": "Send early data on resumption from the specified file",
- "detail": "",
- "arg-type": "string",
- "long-option": "earlydata"
- },
- {
- "short-option": "e",
- "desc": "Establish a session and rehandshake",
- "long-option": "rehandshake",
- "detail": "Connect, establish a session and rehandshake immediately."
- },
- {
- "desc": "Server's hostname for server name indication extension",
- "arg-type": "string",
- "detail": "Set explicitly the server name used in the TLS server name indication extension. That is useful when testing with servers setup on different DNS name than the intended. If not specified, the provided hostname is used. Even with this option server certificate verification still uses the hostname passed on the main commandline. Use --verify-hostname to change this.",
- "long-option": "sni-hostname"
- },
- {
- "long-option": "verify-hostname",
- "desc": "Server's hostname to use for validation",
- "detail": "Set explicitly the server name to be used when validating the server's certificate.",
- "arg-type": "string"
- },
- {
- "long-option": "starttls",
- "desc": "Connect, establish a plain session and start TLS",
- "detail": "The TLS session will be initiated when EOF or a SIGALRM is received.",
- "short-option": "s"
- },
- {
- "aliases": "starttls-proto",
- "long-option": "app-proto"
- },
- {
- "conflicts": "starttls",
- "arg-type": "string",
- "desc": "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)",
- "long-option": "starttls-proto",
- "detail": "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation."
- },
- {
- "short-option": "u",
- "desc": "Use DTLS (datagram TLS) over UDP",
- "long-option": "udp",
- "detail": ""
- },
- {
- "arg-type": "number",
- "detail": "",
- "arg-max": "17000",
- "long-option": "mtu",
- "desc": "Set MTU for datagram TLS",
- "arg-min": "0"
- },
- {
- "detail": "",
- "long-option": "crlf",
- "desc": "Send CR LF instead of LF"
- },
- {
- "detail": "",
- "long-option": "fastopen",
- "desc": "Enable TCP Fast Open"
- },
- {
- "desc": "Use DER format for certificates to read from",
- "long-option": "x509fmtder",
- "detail": ""
- },
- {
- "desc": "Print peer's certificate in PEM format",
- "long-option": "print-cert",
- "detail": ""
- },
- {
- "desc": "Save the peer's certificate chain in the specified file in PEM format",
- "long-option": "save-cert",
- "detail": "",
- "arg-type": "string"
- },
- {
- "detail": "",
- "conflicts": "save-ocsp-multi",
- "long-option": "save-ocsp",
- "desc": "Save the peer's OCSP status response in the provided file",
- "arg-type": "string"
- },
- {
- "arg-type": "string",
- "detail": "The file will contain a list of PEM encoded OCSP status responses if any were provided by the peer, starting with the one for the peer's server certificate.",
- "long-option": "save-ocsp-multi",
- "desc": "Save all OCSP responses provided by the peer in this file",
- "conflicts": "save-ocsp"
- },
- {
- "long-option": "save-server-trace",
- "desc": "Save the server-side TLS message trace in the provided file",
- "detail": "",
- "arg-type": "string"
- },
- {
- "arg-type": "string",
- "desc": "Save the client-side TLS message trace in the provided file",
- "detail": "",
- "long-option": "save-client-trace"
- },
- {
- "long-option": "dh-bits",
- "arg-type": "number",
- "detail": "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.",
- "desc": "The minimum number of bits allowed for DH"
- },
- {
- "arg-type": "string",
- "long-option": "priority",
- "desc": "Priorities string",
- "detail": "TLS algorithms and protocols to enable. You can\nuse predefined sets of ciphersuites such as PERFORMANCE,\nNORMAL, PFS, SECURE128, SECURE256. The default is NORMAL.\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on the allowed keywords"
- },
- {
- "detail": "",
- "desc": "Certificate file or PKCS #11 URL to use",
- "arg-type": "string",
- "long-option": "x509cafile"
- },
- {
- "arg-type": "file",
- "file-exists": "yes",
- "long-option": "x509crlfile",
- "detail": "",
- "desc": "CRL file to use"
- },
- {
- "detail": "",
- "arg-type": "string",
- "desc": "X.509 key file or PKCS #11 URL to use",
- "long-option": "x509keyfile"
- },
- {
- "arg-type": "string",
- "requires": "x509keyfile",
- "long-option": "x509certfile",
- "desc": "X.509 Certificate file or PKCS #11 URL to use",
- "detail": ""
- },
- {
- "desc": "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use",
- "arg-type": "string",
- "long-option": "rawpkkeyfile",
- "detail": "In order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types."
- },
- {
- "requires": "rawpkkeyfile",
- "detail": "In order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types.",
- "desc": "Raw public-key file to use",
- "long-option": "rawpkfile",
- "arg-type": "string"
- },
- {
- "desc": "SRP username to use",
- "detail": "",
- "arg-type": "string",
- "long-option": "srpusername"
- },
- {
- "arg-type": "string",
- "detail": "",
- "desc": "SRP password to use",
- "long-option": "srppasswd"
- },
- {
- "desc": "PSK username to use",
- "arg-type": "string",
- "detail": "",
- "long-option": "pskusername"
- },
- {
- "arg-type": "string",
- "long-option": "pskkey",
- "desc": "PSK key (in hex) to use",
- "detail": ""
- },
- {
- "arg-type": "string",
- "short-option": "p",
- "detail": "",
- "desc": "The port or service to connect to",
- "long-option": "port"
- },
- {
- "long-option": "insecure",
- "detail": "",
- "desc": "Don't abort program if server certificate can't be validated"
- },
- {
- "desc": "Allow broken algorithms, such as MD5 for certificate verification",
- "detail": "",
- "long-option": "verify-allow-broken"
- },
- {
- "desc": "Use length-hiding padding to prevent traffic analysis",
- "deprecated": "",
- "long-option": "ranges",
- "detail": "When possible (e.g., when using CBC ciphersuites), use length-hiding padding to prevent traffic analysis."
- },
- {
- "long-option": "benchmark-ciphers",
- "detail": "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1.",
- "desc": "Benchmark individual ciphers"
- },
- {
- "long-option": "benchmark-tls-kx",
- "detail": "",
- "desc": "Benchmark TLS key exchange methods"
- },
- {
- "long-option": "benchmark-tls-ciphers",
- "desc": "Benchmark TLS ciphers",
- "detail": "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1."
- },
- {
- "long-option": "list",
- "desc": "Print a list of the supported algorithms and modes",
- "short-option": "l",
- "detail": "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.",
- "conflicts": "port"
- },
- {
- "desc": "Print a list of the supported priority strings",
- "detail": "Print a list of the supported priority strings. The ciphersuites corresponding to each priority string can be examined using -l -p.",
- "long-option": "priority-list"
- },
- {
- "detail": "Disable the request of receiving of session tickets under TLS1.2 or earlier",
- "long-option": "noticket",
- "desc": "Don't allow session tickets"
- },
- {
- "arg-type": "string",
- "long-option": "srtp-profiles",
- "desc": "Offer SRTP profiles",
- "detail": ""
- },
- {
- "arg-type": "string",
- "stack-arg": "",
- "desc": "Application layer protocol",
- "long-option": "alpn",
- "detail": "This option will set and enable the Application Layer Protocol Negotiation (ALPN) in the TLS protocol.",
- "max": "NOLIMIT"
- },
- {
- "arg-type": "string",
- "long-option": "compress-cert",
- "desc": "Compress certificate",
- "detail": "This option sets a list of supported compression methods for certificate compression. Use comma delimited list of compression methods such as \"zlib,brotli,zstd\"."
- },
- {
- "detail": "",
- "long-option": "heartbeat",
- "short-option": "b",
- "desc": "Activate heartbeat support"
- },
- {
- "arg-max": "4096",
- "arg-min": "0",
- "long-option": "recordsize",
- "detail": "",
- "arg-type": "number",
- "desc": "The maximum record size to advertise"
- },
- {
- "detail": "",
- "long-option": "disable-sni",
- "desc": "Do not send a Server Name Indication (SNI)"
- },
- {
- "desc": "Disable all the TLS extensions",
- "detail": "This option disables all TLS extensions. Deprecated option. Use the priority string.",
- "long-option": "disable-extensions",
- "deprecated": ""
- },
- {
- "detail": "This option switches the default mode of sending multiple\nkey shares, to send a single one (the top one).",
- "desc": "Send a single key share under TLS1.3",
- "long-option": "single-key-share"
- },
- {
- "detail": "This option enables post-handshake authentication when under TLS1.3.",
- "long-option": "post-handshake-auth",
- "desc": "Enable post-handshake authentication under TLS1.3"
- },
- {
- "desc": "Inline commands of the form ^<cmd>^",
- "long-option": "inline-commands",
- "detail": "Enable inline commands of the form ^<cmd>^. The inline commands are expected to be in a line by themselves. The available commands are: resume, rekey1 (local rekey), rekey (rekey on both peers) and renegotiate."
- },
- {
- "long-option": "inline-commands-prefix",
- "arg-type": "string",
- "detail": "Change the default delimiter (^) used for inline commands. The delimiter is expected to be a single US-ASCII character (octets 0 - 127). This option is only relevant if inline commands are enabled via the inline-commands option",
- "desc": "Change the default delimiter for inline commands."
- },
- {
- "long-option": "provider",
- "file-exists": "yes",
- "arg-type": "file",
- "desc": "Specify the PKCS #11 provider library",
- "detail": "This will override the default options in /etc/gnutls/pkcs11.conf"
- },
- {
- "detail": "",
- "long-option": "fips140-mode",
- "desc": "Reports the status of the FIPS140-2 mode in gnutls library"
- },
- {
- "detail": "",
- "long-option": "list-config",
- "desc": "Reports the configuration of the library"
- },
- {
- "desc": "Redirect informational messages to a specific file.",
- "arg-type": "string",
- "long-option": "logfile",
- "detail": "Redirect informational messages to a specific file. The file may be /dev/null also to make the gnutls client quiet to use it in piped server connections where only the server communication may appear on stdout."
- },
- {
- "detail": "",
- "desc": "Label used for exporting keying material",
- "arg-type": "string",
- "long-option": "keymatexport"
- },
- {
- "detail": "",
- "arg-type": "number",
- "long-option": "keymatexportsize",
- "desc": "Size of the exported keying material"
- },
- {
- "long-option": "waitresumption",
- "desc": "Block waiting for the resumption data under TLS1.3",
- "detail": "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."
- },
- {
- "long-option": "ca-auto-retrieve",
- "disabled": "",
- "disable-prefix": "no-",
- "desc": "Enable automatic retrieval of missing CA certificates",
- "detail": "This option enables the client to automatically retrieve the missing intermediate CA certificates in the certificate chain, based on the Authority Information Access (AIA) extension."
- }
- ]
- }
-]
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "gnutls-cli",
+ "title": "GnuTLS client",
+ "description": "Simple client program to set up a TLS connection.",
+ "detail": "Simple client program to set up a TLS connection to some other computer. \nIt sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.",
+ "short-usage": "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n",
+ "argument": "[hostname]",
+ "reorder-arguments": true
+ },
+ "sections": [
+ {
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "verbose",
+ "short-option": "V",
+ "description": "More verbose output"
+ },
+ {
+ "long-option": "tofu",
+ "description": "Enable trust on first use authentication",
+ "detail": "This option will, in addition to certificate authentication, perform authentication\nbased on previously seen public keys, a model similar to SSH authentication. Note that when tofu \nis specified (PKI) and DANE authentication will become advisory to assist the public key acceptance\nprocess.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "strict-tofu",
+ "description": "Fail to connect if a certificate is unknown or a known certificate has changed",
+ "detail": "This option will perform authentication as with option --tofu; however, no questions shall be asked whatsoever, neither to accept an unknown certificate nor a changed one.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "dane",
+ "description": "Enable DANE certificate verification (DNSSEC)",
+ "detail": "This option will, in addition to certificate authentication using \nthe trusted CAs, verify the server certificates using on the DANE information\navailable via DNSSEC.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "local-dns",
+ "description": "Use the local DNS server for DNSSEC resolving",
+ "detail": "This option will use the local DNS server for DNSSEC.\nThis is disabled by default due to many servers not allowing DNSSEC.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "ca-verification",
+ "description": "Enable CA certificate verification",
+ "detail": "This option can be used to enable or disable CA certificate verification. It is to be used with the --dane or --tofu options.",
+ "enabled": true,
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "ocsp",
+ "description": "Enable OCSP certificate verification",
+ "detail": "This option will enable verification of the peer's certificate using ocsp",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "resume",
+ "short-option": "r",
+ "description": "Establish a session and resume",
+ "detail": "Connect, establish a session, reconnect and resume."
+ },
+ {
+ "long-option": "earlydata",
+ "description": "Send early data on resumption from the specified file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "rehandshake",
+ "short-option": "e",
+ "description": "Establish a session and rehandshake",
+ "detail": "Connect, establish a session and rehandshake immediately."
+ },
+ {
+ "long-option": "sni-hostname",
+ "description": "Server's hostname for server name indication extension",
+ "detail": "Set explicitly the server name used in the TLS server name indication extension. That is useful when testing with servers setup on different DNS name than the intended. If not specified, the provided hostname is used. Even with this option server certificate verification still uses the hostname passed on the main commandline. Use --verify-hostname to change this.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "verify-hostname",
+ "description": "Server's hostname to use for validation",
+ "detail": "Set explicitly the server name to be used when validating the server's certificate.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "starttls",
+ "short-option": "s",
+ "description": "Connect, establish a plain session and start TLS",
+ "detail": "The TLS session will be initiated when EOF or a SIGALRM is received."
+ },
+ {
+ "long-option": "app-proto",
+ "aliases": "starttls-proto"
+ },
+ {
+ "long-option": "starttls-proto",
+ "description": "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)",
+ "detail": "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.",
+ "conflicts": [
+ "starttls"
+ ],
+ "argument-type": "string"
+ },
+ {
+ "long-option": "udp",
+ "short-option": "u",
+ "description": "Use DTLS (datagram TLS) over UDP"
+ },
+ {
+ "long-option": "mtu",
+ "description": "Set MTU for datagram TLS",
+ "argument-range": {
+ "min": 0,
+ "max": 17000
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "crlf",
+ "description": "Send CR LF instead of LF"
+ },
+ {
+ "long-option": "fastopen",
+ "description": "Enable TCP Fast Open"
+ },
+ {
+ "long-option": "x509fmtder",
+ "description": "Use DER format for certificates to read from"
+ },
+ {
+ "long-option": "print-cert",
+ "description": "Print peer's certificate in PEM format"
+ },
+ {
+ "long-option": "save-cert",
+ "description": "Save the peer's certificate chain in the specified file in PEM format",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "save-ocsp",
+ "description": "Save the peer's OCSP status response in the provided file",
+ "conflicts": [
+ "save-ocsp-multi"
+ ],
+ "argument-type": "string"
+ },
+ {
+ "long-option": "save-ocsp-multi",
+ "description": "Save all OCSP responses provided by the peer in this file",
+ "detail": "The file will contain a list of PEM encoded OCSP status responses if any were provided by the peer, starting with the one for the peer's server certificate.",
+ "conflicts": [
+ "save-ocsp"
+ ],
+ "argument-type": "string"
+ },
+ {
+ "long-option": "save-server-trace",
+ "description": "Save the server-side TLS message trace in the provided file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "save-client-trace",
+ "description": "Save the client-side TLS message trace in the provided file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "dh-bits",
+ "description": "The minimum number of bits allowed for DH",
+ "detail": "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "priority",
+ "description": "Priorities string",
+ "detail": "TLS algorithms and protocols to enable. You can\nuse predefined sets of ciphersuites such as PERFORMANCE,\nNORMAL, PFS, SECURE128, SECURE256. The default is NORMAL.\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on the allowed keywords",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "x509cafile",
+ "description": "Certificate file or PKCS #11 URL to use",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "x509crlfile",
+ "description": "CRL file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "x509keyfile",
+ "description": "X.509 key file or PKCS #11 URL to use",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "x509certfile",
+ "description": "X.509 Certificate file or PKCS #11 URL to use",
+ "requires": [
+ "x509keyfile"
+ ],
+ "argument-type": "string"
+ },
+ {
+ "long-option": "rawpkkeyfile",
+ "description": "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use",
+ "detail": "In order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "rawpkfile",
+ "description": "Raw public-key file to use",
+ "detail": "In order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types.",
+ "requires": [
+ "rawpkkeyfile"
+ ],
+ "argument-type": "string"
+ },
+ {
+ "long-option": "srpusername",
+ "description": "SRP username to use",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "srppasswd",
+ "description": "SRP password to use",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "pskusername",
+ "description": "PSK username to use",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "pskkey",
+ "description": "PSK key (in hex) to use",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "port",
+ "short-option": "p",
+ "description": "The port or service to connect to",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "insecure",
+ "description": "Don't abort program if server certificate can't be validated"
+ },
+ {
+ "long-option": "verify-allow-broken",
+ "description": "Allow broken algorithms, such as MD5 for certificate verification"
+ },
+ {
+ "long-option": "ranges",
+ "description": "Use length-hiding padding to prevent traffic analysis",
+ "detail": "When possible (e.g., when using CBC ciphersuites), use length-hiding padding to prevent traffic analysis.",
+ "deprecated": true
+ },
+ {
+ "long-option": "benchmark-ciphers",
+ "description": "Benchmark individual ciphers",
+ "detail": "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1."
+ },
+ {
+ "long-option": "benchmark-tls-kx",
+ "description": "Benchmark TLS key exchange methods"
+ },
+ {
+ "long-option": "benchmark-tls-ciphers",
+ "description": "Benchmark TLS ciphers",
+ "detail": "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1."
+ },
+ {
+ "long-option": "list",
+ "short-option": "l",
+ "description": "Print a list of the supported algorithms and modes",
+ "detail": "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.",
+ "conflicts": [
+ "port"
+ ]
+ },
+ {
+ "long-option": "priority-list",
+ "description": "Print a list of the supported priority strings",
+ "detail": "Print a list of the supported priority strings. The ciphersuites corresponding to each priority string can be examined using -l -p."
+ },
+ {
+ "long-option": "noticket",
+ "description": "Don't allow session tickets",
+ "detail": "Disable the request of receiving of session tickets under TLS1.2 or earlier"
+ },
+ {
+ "long-option": "srtp-profiles",
+ "description": "Offer SRTP profiles",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "alpn",
+ "description": "Application layer protocol",
+ "detail": "This option will set and enable the Application Layer Protocol Negotiation (ALPN) in the TLS protocol.",
+ "argument-type": "string",
+ "multiple": true
+ },
+ {
+ "long-option": "compress-cert",
+ "description": "Compress certificate",
+ "detail": "This option sets a list of supported compression methods for certificate compression. Use comma delimited list of compression methods such as \"zlib,brotli,zstd\".",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "heartbeat",
+ "short-option": "b",
+ "description": "Activate heartbeat support"
+ },
+ {
+ "long-option": "recordsize",
+ "description": "The maximum record size to advertise",
+ "argument-range": {
+ "min": 0,
+ "max": 4096
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "disable-sni",
+ "description": "Do not send a Server Name Indication (SNI)"
+ },
+ {
+ "long-option": "disable-extensions",
+ "description": "Disable all the TLS extensions",
+ "detail": "This option disables all TLS extensions. Deprecated option. Use the priority string.",
+ "deprecated": true
+ },
+ {
+ "long-option": "single-key-share",
+ "description": "Send a single key share under TLS1.3",
+ "detail": "This option switches the default mode of sending multiple\nkey shares, to send a single one (the top one)."
+ },
+ {
+ "long-option": "post-handshake-auth",
+ "description": "Enable post-handshake authentication under TLS1.3",
+ "detail": "This option enables post-handshake authentication when under TLS1.3."
+ },
+ {
+ "long-option": "inline-commands",
+ "description": "Inline commands of the form ^<cmd>^",
+ "detail": "Enable inline commands of the form ^<cmd>^. The inline commands are expected to be in a line by themselves. The available commands are: resume, rekey1 (local rekey), rekey (rekey on both peers) and renegotiate."
+ },
+ {
+ "long-option": "inline-commands-prefix",
+ "description": "Change the default delimiter for inline commands",
+ "detail": "Change the default delimiter (^) used for inline commands. The delimiter is expected to be a single US-ASCII character (octets 0 - 127). This option is only relevant if inline commands are enabled via the inline-commands option",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "provider",
+ "description": "Specify the PKCS #11 provider library",
+ "detail": "This will override the default options in /etc/gnutls/pkcs11.conf",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "fips140-mode",
+ "description": "Reports the status of the FIPS140-2 mode in gnutls library"
+ },
+ {
+ "long-option": "list-config",
+ "description": "Reports the configuration of the library"
+ },
+ {
+ "long-option": "logfile",
+ "description": "Redirect informational messages to a specific file",
+ "detail": "Redirect informational messages to a specific file. The file may be /dev/null also to make the gnutls client quiet to use it in piped server connections where only the server communication may appear on stdout.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "keymatexport",
+ "description": "Label used for exporting keying material",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "keymatexportsize",
+ "description": "Size of the exported keying material",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "waitresumption",
+ "description": "Block waiting for the resumption data under TLS1.3",
+ "detail": "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."
+ },
+ {
+ "long-option": "ca-auto-retrieve",
+ "description": "Enable automatic retrieval of missing CA certificates",
+ "detail": "This option enables the client to automatically retrieve the missing intermediate CA certificates in the certificate chain, based on the Authority Information Access (AIA) extension.",
+ "disable-prefix": "no-"
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file
diff --git a/src/gnutls-serv-options.json b/src/gnutls-serv-options.json
index 3ef51111f9..342b8a8cdc 100644
--- a/src/gnutls-serv-options.json
+++ b/src/gnutls-serv-options.json
@@ -1,338 +1,312 @@
-[
- {
- "meta": {
- "desc": "",
- "prog-desc": "Simple server program to act as an HTTPS or TLS echo service.",
- "explain": "",
- "short-usage": "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n",
- "detail": "Server program that listens to incoming TLS connections.",
- "prog-name": "gnutls-serv",
- "prog-title": "GnuTLS server"
- },
- "options": [
- {
- "arg-type": "number",
- "arg-max": " 9999",
- "arg-min": "0 ",
- "short-option": "d",
- "detail": "Specifies the debug level.",
- "long-option": "debug",
- "desc": "Enable debugging"
- },
- {
- "arg-type": "string",
- "detail": "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert.",
- "desc": "Server's hostname for server name extension",
- "long-option": "sni-hostname"
- },
- {
- "long-option": "sni-hostname-fatal",
- "desc": "Send fatal alert on sni-hostname mismatch",
- "detail": ""
- },
- {
- "max": "NOLIMIT",
- "detail": "Specify the (textual) ALPN protocol for the server to use.",
- "desc": "Specify ALPN protocol to be enabled by the server",
- "long-option": "alpn",
- "arg-type": "string",
- "stack-arg": ""
- },
- {
- "detail": "",
- "long-option": "alpn-fatal",
- "desc": "Send fatal alert on non-matching ALPN name"
- },
- {
- "desc": "Don't accept session tickets",
- "detail": "",
- "long-option": "noticket"
- },
- {
- "detail": "",
- "long-option": "earlydata",
- "desc": "Accept early data"
- },
- {
- "arg-type": "number",
- "desc": "The maximum early data size to accept",
- "detail": "",
- "arg-max": "",
- "long-option": "maxearlydata",
- "arg-min": "1"
- },
- {
- "long-option": "nocookie",
- "detail": "",
- "desc": "Don't require cookie on DTLS sessions"
- },
- {
- "detail": "",
- "long-option": "generate",
- "short-option": "g",
- "desc": "Generate Diffie-Hellman parameters"
- },
- {
- "short-option": "q",
- "desc": "Suppress some messages",
- "long-option": "quiet",
- "detail": ""
- },
- {
- "long-option": "nodb",
- "desc": "Do not use a resumption database",
- "detail": ""
- },
- {
- "desc": "Act as an HTTP server",
- "long-option": "http",
- "detail": ""
- },
- {
- "desc": "Act as an Echo server",
- "detail": "",
- "long-option": "echo"
- },
- {
- "long-option": "crlf",
- "desc": "Do not replace CRLF by LF in Echo server mode",
- "detail": ""
- },
- {
- "desc": "Use DTLS (datagram TLS) over UDP",
- "short-option": "u",
- "long-option": "udp",
- "detail": ""
- },
- {
- "arg-type": "number",
- "desc": "Set MTU for datagram TLS",
- "arg-min": "0",
- "detail": "",
- "arg-max": "17000",
- "long-option": "mtu"
- },
- {
- "detail": "",
- "long-option": "srtp-profiles",
- "desc": "Offer SRTP profiles",
- "arg-type": "string"
- },
- {
- "desc": "Do not request a client certificate",
- "short-option": "a",
- "conflicts": "require-client-cert",
- "detail": "",
- "long-option": "disable-client-cert"
- },
- {
- "disabled": "",
- "detail": "This option before 3.6.0 used to imply --verify-client-cert.\nSince 3.6.0 it will no longer verify the certificate by default.",
- "long-option": "require-client-cert",
- "desc": "Require a client certificate",
- "short-option": "r"
- },
- {
- "disabled": "",
- "desc": "If a client certificate is sent then verify it.",
- "detail": "Do not require, but if a client certificate is sent then verify it and close the connection if invalid.",
- "long-option": "verify-client-cert"
- },
- {
- "arg-type": "string",
- "long-option": "compress-cert",
- "desc": "Compress certificate",
- "detail": "This option sets a list of supported compression methods for certificate compression. Use comma delimited list of compression methods such as \"zlib,brotli,zstd\"."
- },
- {
- "long-option": "heartbeat",
- "desc": "Activate heartbeat support",
- "detail": "Regularly ping client via heartbeat extension messages",
- "short-option": "b"
- },
- {
- "desc": "Use DER format for certificates to read from",
- "detail": "",
- "long-option": "x509fmtder"
- },
- {
- "detail": "TLS algorithms and protocols to enable. You can\nuse predefined sets of ciphersuites such as PERFORMANCE,\nNORMAL, SECURE128, SECURE256. The default is NORMAL.\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on allowed keywords",
- "arg-type": "string",
- "long-option": "priority",
- "desc": "Priorities string"
- },
- {
- "detail": "",
- "long-option": "dhparams",
- "arg-type": "file",
- "file-exists": "yes",
- "desc": "DH params file to use"
- },
- {
- "arg-type": "string",
- "desc": "Certificate file or PKCS #11 URL to use",
- "detail": "",
- "long-option": "x509cafile"
- },
- {
- "desc": "CRL file to use",
- "detail": "",
- "arg-type": "file",
- "file-exists": "yes",
- "long-option": "x509crlfile"
- },
- {
- "detail": "",
- "deprecated": "",
- "long-option": "pgpkeyfile",
- "file-exists": "yes",
- "desc": "PGP Key file to use",
- "arg-type": "file"
- },
- {
- "stack-arg": "",
- "max": "NOLIMIT",
- "long-option": "x509keyfile",
- "detail": "Specify the private key file or URI to use; it must correspond to\nthe certificate specified in --x509certfile. Multiple keys and certificates\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding x509certfile or vice-versa.",
- "desc": "X.509 key file or PKCS #11 URL to use",
- "arg-type": "string"
- },
- {
- "detail": "Specify the certificate file or URI to use; it must correspond to\nthe key specified in --x509keyfile. Multiple keys and certificates\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding x509certfile or vice-versa.",
- "arg-type": "string",
- "stack-arg": "",
- "max": "NOLIMIT",
- "long-option": "x509certfile",
- "desc": "X.509 Certificate file or PKCS #11 URL to use"
- },
- {
- "aliases": "x509keyfile",
- "long-option": "x509dsakeyfile",
- "desc": "Alternative X.509 key file or PKCS #11 URL to use",
- "deprecated": ""
- },
- {
- "long-option": "x509dsacertfile",
- "desc": "Alternative X.509 Certificate file or PKCS #11 URL to use",
- "deprecated": "",
- "aliases": "x509certfile"
- },
- {
- "deprecated": "",
- "long-option": "x509ecckeyfile",
- "aliases": "x509keyfile",
- "desc": "Alternative X.509 key file or PKCS #11 URL to use"
- },
- {
- "desc": "Alternative X.509 Certificate file or PKCS #11 URL to use",
- "aliases": "x509certfile",
- "deprecated": "",
- "long-option": "x509ecccertfile"
- },
- {
- "stack-arg": "",
- "long-option": "rawpkkeyfile",
- "max": "NOLIMIT",
- "desc": "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use",
- "arg-type": "string",
- "detail": "Specify the private key file or URI to use; it must correspond to\nthe raw public-key specified in --rawpkfile. Multiple key pairs\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding rawpkfile or vice-versa.\n\nIn order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types."
- },
- {
- "detail": "Specify the raw public-key file to use; it must correspond to\nthe private key specified in --rawpkkeyfile. Multiple key pairs\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding rawpkfile or vice-versa.\n\nIn order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types.",
- "requires": "rawpkkeyfile",
- "desc": "Raw public-key file to use",
- "stack-arg": "",
- "max": "NOLIMIT",
- "long-option": "rawpkfile",
- "arg-type": "string"
- },
- {
- "detail": "",
- "desc": "SRP password file to use",
- "long-option": "srppasswd",
- "file-exists": "yes",
- "arg-type": "file"
- },
- {
- "desc": "SRP password configuration file to use",
- "long-option": "srppasswdconf",
- "file-exists": "yes",
- "arg-type": "file",
- "detail": ""
- },
- {
- "detail": "",
- "file-exists": "yes",
- "desc": "PSK password file to use",
- "arg-type": "file",
- "long-option": "pskpasswd"
- },
- {
- "arg-type": "string",
- "desc": "PSK identity hint to use",
- "detail": "",
- "long-option": "pskhint"
- },
- {
- "desc": "The OCSP response to send to client",
- "max": "NOLIMIT",
- "detail": "If the client requested an OCSP response, return data from this file to the client.",
- "long-option": "ocsp-response",
- "stack-arg": "",
- "arg-type": "string"
- },
- {
- "long-option": "ignore-ocsp-response-errors",
- "desc": "Ignore any errors when setting the OCSP response",
- "detail": "That option instructs gnutls to not attempt to match the provided OCSP responses with the certificates."
- },
- {
- "desc": "The port to connect to",
- "detail": "",
- "arg-type": "number",
- "short-option": "p",
- "long-option": "port"
- },
- {
- "desc": "Print a list of the supported algorithms and modes",
- "detail": "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.",
- "short-option": "l",
- "long-option": "list"
- },
- {
- "desc": "Specify the PKCS #11 provider library",
- "file-exists": "yes",
- "arg-type": "file",
- "detail": "This will override the default options in /etc/gnutls/pkcs11.conf",
- "long-option": "provider"
- },
- {
- "arg-type": "string",
- "long-option": "keymatexport",
- "detail": "",
- "desc": "Label used for exporting keying material"
- },
- {
- "desc": "Size of the exported keying material",
- "long-option": "keymatexportsize",
- "arg-type": "number",
- "detail": ""
- },
- {
- "desc": "The maximum record size to advertise",
- "arg-max": "16384",
- "arg-type": "number",
- "detail": "",
- "long-option": "recordsize",
- "arg-min": "0"
- },
- {
- "detail": "",
- "arg-type": "file",
- "long-option": "httpdata",
- "file-exists": "yes",
- "desc": "The data used as HTTP response"
- }
- ]
- }
-]
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "gnutls-serv",
+ "title": "GnuTLS server",
+ "description": "Simple server program to act as an HTTPS or TLS echo service.",
+ "detail": "Server program that listens to incoming TLS connections.",
+ "short-usage": "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n"
+ },
+ "sections": [
+ {
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "sni-hostname",
+ "description": "Server's hostname for server name extension",
+ "detail": "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "sni-hostname-fatal",
+ "description": "Send fatal alert on sni-hostname mismatch"
+ },
+ {
+ "long-option": "alpn",
+ "description": "Specify ALPN protocol to be enabled by the server",
+ "detail": "Specify the (textual) ALPN protocol for the server to use.",
+ "argument-type": "string",
+ "multiple": true
+ },
+ {
+ "long-option": "alpn-fatal",
+ "description": "Send fatal alert on non-matching ALPN name"
+ },
+ {
+ "long-option": "noticket",
+ "description": "Don't accept session tickets"
+ },
+ {
+ "long-option": "earlydata",
+ "description": "Accept early data"
+ },
+ {
+ "long-option": "maxearlydata",
+ "description": "The maximum early data size to accept",
+ "argument-range": {
+ "min": 1
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "nocookie",
+ "description": "Don't require cookie on DTLS sessions"
+ },
+ {
+ "long-option": "generate",
+ "short-option": "g",
+ "description": "Generate Diffie-Hellman parameters"
+ },
+ {
+ "long-option": "quiet",
+ "short-option": "q",
+ "description": "Suppress some messages"
+ },
+ {
+ "long-option": "nodb",
+ "description": "Do not use a resumption database"
+ },
+ {
+ "long-option": "http",
+ "description": "Act as an HTTP server"
+ },
+ {
+ "long-option": "echo",
+ "description": "Act as an Echo server"
+ },
+ {
+ "long-option": "crlf",
+ "description": "Do not replace CRLF by LF in Echo server mode"
+ },
+ {
+ "long-option": "udp",
+ "short-option": "u",
+ "description": "Use DTLS (datagram TLS) over UDP"
+ },
+ {
+ "long-option": "mtu",
+ "description": "Set MTU for datagram TLS",
+ "argument-range": {
+ "min": 0,
+ "max": 17000
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "srtp-profiles",
+ "description": "Offer SRTP profiles",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "disable-client-cert",
+ "short-option": "a",
+ "description": "Do not request a client certificate",
+ "conflicts": [
+ "require-client-cert"
+ ]
+ },
+ {
+ "long-option": "require-client-cert",
+ "short-option": "r",
+ "description": "Require a client certificate",
+ "detail": "This option before 3.6.0 used to imply --verify-client-cert.\nSince 3.6.0 it will no longer verify the certificate by default."
+ },
+ {
+ "long-option": "verify-client-cert",
+ "description": "If a client certificate is sent then verify it",
+ "detail": "Do not require, but if a client certificate is sent then verify it and close the connection if invalid."
+ },
+ {
+ "long-option": "compress-cert",
+ "description": "Compress certificate",
+ "detail": "This option sets a list of supported compression methods for certificate compression. Use comma delimited list of compression methods such as \"zlib,brotli,zstd\".",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "heartbeat",
+ "short-option": "b",
+ "description": "Activate heartbeat support",
+ "detail": "Regularly ping client via heartbeat extension messages"
+ },
+ {
+ "long-option": "x509fmtder",
+ "description": "Use DER format for certificates to read from"
+ },
+ {
+ "long-option": "priority",
+ "description": "Priorities string",
+ "detail": "TLS algorithms and protocols to enable. You can\nuse predefined sets of ciphersuites such as PERFORMANCE,\nNORMAL, SECURE128, SECURE256. The default is NORMAL.\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on allowed keywords",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "dhparams",
+ "description": "DH params file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "x509cafile",
+ "description": "Certificate file or PKCS #11 URL to use",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "x509crlfile",
+ "description": "CRL file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "pgpkeyfile",
+ "description": "PGP Key file to use",
+ "file-exists": true,
+ "deprecated": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "x509keyfile",
+ "description": "X.509 key file or PKCS #11 URL to use",
+ "detail": "Specify the private key file or URI to use; it must correspond to\nthe certificate specified in --x509certfile. Multiple keys and certificates\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding x509certfile or vice-versa.",
+ "argument-type": "string",
+ "multiple": true
+ },
+ {
+ "long-option": "x509certfile",
+ "description": "X.509 Certificate file or PKCS #11 URL to use",
+ "detail": "Specify the certificate file or URI to use; it must correspond to\nthe key specified in --x509keyfile. Multiple keys and certificates\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding x509certfile or vice-versa.",
+ "argument-type": "string",
+ "multiple": true
+ },
+ {
+ "long-option": "x509dsakeyfile",
+ "description": "Alternative X.509 key file or PKCS #11 URL to use",
+ "deprecated": true,
+ "aliases": "x509keyfile"
+ },
+ {
+ "long-option": "x509dsacertfile",
+ "description": "Alternative X.509 Certificate file or PKCS #11 URL to use",
+ "deprecated": true,
+ "aliases": "x509certfile"
+ },
+ {
+ "long-option": "x509ecckeyfile",
+ "description": "Alternative X.509 key file or PKCS #11 URL to use",
+ "deprecated": true,
+ "aliases": "x509keyfile"
+ },
+ {
+ "long-option": "x509ecccertfile",
+ "description": "Alternative X.509 Certificate file or PKCS #11 URL to use",
+ "deprecated": true,
+ "aliases": "x509certfile"
+ },
+ {
+ "long-option": "rawpkkeyfile",
+ "description": "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use",
+ "detail": "Specify the private key file or URI to use; it must correspond to\nthe raw public-key specified in --rawpkfile. Multiple key pairs\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding rawpkfile or vice-versa.\n\nIn order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types.",
+ "argument-type": "string",
+ "multiple": true
+ },
+ {
+ "long-option": "rawpkfile",
+ "description": "Raw public-key file to use",
+ "detail": "Specify the raw public-key file to use; it must correspond to\nthe private key specified in --rawpkkeyfile. Multiple key pairs\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding rawpkfile or vice-versa.\n\nIn order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types.",
+ "requires": [
+ "rawpkkeyfile"
+ ],
+ "argument-type": "string",
+ "multiple": true
+ },
+ {
+ "long-option": "srppasswd",
+ "description": "SRP password file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "srppasswdconf",
+ "description": "SRP password configuration file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "pskpasswd",
+ "description": "PSK password file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "pskhint",
+ "description": "PSK identity hint to use",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "ocsp-response",
+ "description": "The OCSP response to send to client",
+ "detail": "If the client requested an OCSP response, return data from this file to the client.",
+ "argument-type": "string",
+ "multiple": true
+ },
+ {
+ "long-option": "ignore-ocsp-response-errors",
+ "description": "Ignore any errors when setting the OCSP response",
+ "detail": "That option instructs gnutls to not attempt to match the provided OCSP responses with the certificates."
+ },
+ {
+ "long-option": "port",
+ "short-option": "p",
+ "description": "The port to connect to",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "list",
+ "short-option": "l",
+ "description": "Print a list of the supported algorithms and modes",
+ "detail": "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown."
+ },
+ {
+ "long-option": "provider",
+ "description": "Specify the PKCS #11 provider library",
+ "detail": "This will override the default options in /etc/gnutls/pkcs11.conf",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "keymatexport",
+ "description": "Label used for exporting keying material",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "keymatexportsize",
+ "description": "Size of the exported keying material",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "recordsize",
+ "description": "The maximum record size to advertise",
+ "argument-range": {
+ "min": 0,
+ "max": 16384
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "httpdata",
+ "description": "The data used as HTTP response",
+ "file-exists": true,
+ "argument-type": "file"
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file
diff --git a/src/ocsptool-options.json b/src/ocsptool-options.json
index f3b4116190..0a45a14852 100644
--- a/src/ocsptool-options.json
+++ b/src/ocsptool-options.json
@@ -1,164 +1,154 @@
-[
- {
- "meta": {
- "explain": "",
- "prog-title": "GnuTLS OCSP tool",
- "desc": "",
- "prog-name": "ocsptool",
- "detail": "ocsptool is a program that can parse and print information about\nOCSP requests/responses, generate requests and verify responses. Unlike\nother GnuTLS applications it outputs DER encoded structures by default\nunless the '--outpem' option is specified.",
- "short-usage": "ocsptool [options]\nocsptool --help for usage instructions.\n",
- "prog-desc": "Program to handle OCSP request/responses."
- },
- "options": [
- {
- "arg-type": "number",
- "arg-min": "0 ",
- "desc": "Enable debugging",
- "detail": "Specifies the debug level.",
- "short-option": "d",
- "arg-max": " 9999",
- "long-option": "debug"
- },
- {
- "desc": "More verbose output",
- "detail": "",
- "short-option": "V",
- "long-option": "verbose",
- "disabled": "",
- "max": "NOLIMIT"
- },
- {
- "long-option": "infile",
- "arg-type": "file",
- "desc": "Input file",
- "file-exists": "yes",
- "detail": ""
- },
- {
- "arg-type": "string",
- "long-option": "outfile",
- "desc": "Output file",
- "detail": ""
- },
- {
- "arg-type": "string",
- "detail": "Connects to the specified HTTP OCSP server and queries on the validity of the loaded certificate.\nIts argument can be a URL or a plain server name. It can be combined with --load-chain, where it checks\nall certificates in the provided chain, or with --load-cert and\n--load-issuer options. The latter checks the provided certificate\nagainst its specified issuer certificate.",
- "long-option": "ask",
- "arg-name": "server name|url",
- "arg-optional": "",
- "desc": "Ask an OCSP/HTTP server on a certificate validity"
- },
- {
- "long-option": "verify-response",
- "desc": "Verify response",
- "detail": "Verifies the provided OCSP response against the system trust\nanchors (unless --load-trust is provided). It requires the --load-signer\nor --load-chain options to obtain the signer of the OCSP response.",
- "short-option": "e"
- },
- {
- "long-option": "request-info",
- "short-option": "i",
- "desc": "Print information on a OCSP request",
- "detail": "Display detailed information on the provided OCSP request."
- },
- {
- "desc": "Print information on a OCSP response",
- "detail": "Display detailed information on the provided OCSP response.",
- "short-option": "j",
- "long-option": "response-info"
- },
- {
- "detail": "",
- "desc": "Generates an OCSP request",
- "short-option": "q",
- "long-option": "generate-request"
- },
- {
- "disabled": "yes",
- "detail": "",
- "long-option": "nonce",
- "disable-prefix": "no-",
- "desc": "Use (or not) a nonce to OCSP request"
- },
- {
- "file-exists": "yes",
- "desc": "Reads a set of certificates forming a chain from file",
- "detail": "",
- "arg-type": "file",
- "long-option": "load-chain"
- },
- {
- "desc": "Reads issuer's certificate from file",
- "long-option": "load-issuer",
- "detail": "",
- "file-exists": "yes",
- "arg-type": "file"
- },
- {
- "desc": "Reads the certificate to check from file",
- "file-exists": "yes",
- "arg-type": "file",
- "detail": "",
- "long-option": "load-cert"
- },
- {
- "long-option": "load-trust",
- "detail": "When verifying an OCSP response read the trust anchors from the\nprovided file. When this is not provided, the system's trust anchors will be\nused.",
- "arg-type": "file",
- "file-exists": "yes",
- "desc": "Read OCSP trust anchors from file",
- "conflicts": "load-signer"
- },
- {
- "long-option": "load-signer",
- "arg-type": "file",
- "file-exists": "yes",
- "conflicts": "load-trust",
- "detail": "",
- "desc": "Reads the OCSP response signer from file"
- },
- {
- "long-option": "inder",
- "disable-prefix": "no-",
- "detail": "",
- "desc": "Use DER format for input certificates and private keys",
- "disabled": ""
- },
- {
- "detail": "The output will be in DER encoded format. Unlike other GnuTLS tools, this is the default for this tool",
- "long-option": "outder",
- "desc": "Use DER format for output of responses (this is the default)"
- },
- {
- "long-option": "outpem",
- "desc": "Use PEM format for output of responses",
- "detail": "The output will be in PEM format."
- },
- {
- "file-exists": "yes",
- "detail": "",
- "short-option": "Q",
- "arg-type": "file",
- "long-option": "load-request",
- "desc": "Reads the DER encoded OCSP request from file"
- },
- {
- "detail": "",
- "file-exists": "yes",
- "long-option": "load-response",
- "arg-type": "file",
- "short-option": "S",
- "desc": "Reads the DER encoded OCSP response from file"
- },
- {
- "desc": "Ignore any verification errors",
- "long-option": "ignore-errors",
- "detail": ""
- },
- {
- "detail": "This can be combined with --verify-response.",
- "long-option": "verify-allow-broken",
- "desc": "Allow broken algorithms, such as MD5 for verification"
- }
- ]
- }
-] \ No newline at end of file
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "ocsptool",
+ "title": "GnuTLS OCSP tool",
+ "description": "Program to handle OCSP request/responses.",
+ "detail": "ocsptool is a program that can parse and print information about\nOCSP requests/responses, generate requests and verify responses. Unlike\nother GnuTLS applications it outputs DER encoded structures by default\nunless the '--outpem' option is specified.",
+ "short-usage": "ocsptool [options]\nocsptool --help for usage instructions.\n"
+ },
+ "sections": [
+ {
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "verbose",
+ "short-option": "V",
+ "description": "More verbose output"
+ },
+ {
+ "long-option": "infile",
+ "description": "Input file",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "outfile",
+ "description": "Output file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "ask",
+ "description": "Ask an OCSP/HTTP server on a certificate validity",
+ "detail": "Connects to the specified HTTP OCSP server and queries on the validity of the loaded certificate.\nIts argument can be a URL or a plain server name. It can be combined with --load-chain, where it checks\nall certificates in the provided chain, or with --load-cert and\n--load-issuer options. The latter checks the provided certificate\nagainst its specified issuer certificate.",
+ "argument-optional": true,
+ "argument-type": "string",
+ "argument-name": "server name|url"
+ },
+ {
+ "long-option": "verify-response",
+ "short-option": "e",
+ "description": "Verify response",
+ "detail": "Verifies the provided OCSP response against the system trust\nanchors (unless --load-trust is provided). It requires the --load-signer\nor --load-chain options to obtain the signer of the OCSP response."
+ },
+ {
+ "long-option": "request-info",
+ "short-option": "i",
+ "description": "Print information on a OCSP request",
+ "detail": "Display detailed information on the provided OCSP request."
+ },
+ {
+ "long-option": "response-info",
+ "short-option": "j",
+ "description": "Print information on a OCSP response",
+ "detail": "Display detailed information on the provided OCSP response."
+ },
+ {
+ "long-option": "generate-request",
+ "short-option": "q",
+ "description": "Generates an OCSP request"
+ },
+ {
+ "long-option": "nonce",
+ "description": "Use (or not) a nonce to OCSP request",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "load-chain",
+ "description": "Reads a set of certificates forming a chain from file",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "load-issuer",
+ "description": "Reads issuer's certificate from file",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "load-cert",
+ "description": "Reads the certificate to check from file",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "load-trust",
+ "description": "Read OCSP trust anchors from file",
+ "detail": "When verifying an OCSP response read the trust anchors from the\nprovided file. When this is not provided, the system's trust anchors will be\nused.",
+ "file-exists": true,
+ "conflicts": [
+ "load-signer"
+ ],
+ "argument-type": "file"
+ },
+ {
+ "long-option": "load-signer",
+ "description": "Reads the OCSP response signer from file",
+ "file-exists": true,
+ "conflicts": [
+ "load-trust"
+ ],
+ "argument-type": "file"
+ },
+ {
+ "long-option": "inder",
+ "description": "Use DER format for input certificates and private keys",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "outder",
+ "description": "Use DER format for output of responses (this is the default)",
+ "detail": "The output will be in DER encoded format. Unlike other GnuTLS tools, this is the default for this tool"
+ },
+ {
+ "long-option": "outpem",
+ "description": "Use PEM format for output of responses",
+ "detail": "The output will be in PEM format."
+ },
+ {
+ "long-option": "load-request",
+ "short-option": "Q",
+ "description": "Reads the DER encoded OCSP request from file",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "load-response",
+ "short-option": "S",
+ "description": "Reads the DER encoded OCSP response from file",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "ignore-errors",
+ "description": "Ignore any verification errors"
+ },
+ {
+ "long-option": "verify-allow-broken",
+ "description": "Allow broken algorithms, such as MD5 for verification",
+ "detail": "This can be combined with --verify-response."
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file
diff --git a/src/p11tool-options.json b/src/p11tool-options.json
index 22be3edde0..28ef2fc441 100644
--- a/src/p11tool-options.json
+++ b/src/p11tool-options.json
@@ -1,452 +1,441 @@
-[
- {
- "meta": {
- "explain": "",
- "short-usage": "p11tool [options] [url]\np11tool --help for usage instructions.\n",
- "desc": "",
- "prog-name": "p11tool",
- "prog-desc": "Program to handle PKCS #11 smart cards and security modules.\n",
- "detail": "Program that allows operations on PKCS #11 smart cards\nand security modules. \n\nTo use PKCS #11 tokens with GnuTLS the p11-kit configuration files need to be setup.\nThat is create a .module file in /etc/pkcs11/modules with the contents 'module: /path/to/pkcs11.so'.\nAlternatively the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number\nof lines of the form 'load=/usr/lib/opensc-pkcs11.so'.\n\nYou can provide the PIN to be used for the PKCS #11 operations with the environment variables\nGNUTLS_PIN and GNUTLS_SO_PIN.\n",
- "reorder-args": "",
- "argument": "[url]",
- "prog-title": "GnuTLS PKCS #11 tool"
- },
- "options": []
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "p11tool",
+ "title": "GnuTLS PKCS #11 tool",
+ "description": "Program to handle PKCS #11 smart cards and security modules.\n",
+ "detail": "Program that allows operations on PKCS #11 smart cards\nand security modules. \n\nTo use PKCS #11 tokens with GnuTLS the p11-kit configuration files need to be setup.\nThat is create a .module file in /etc/pkcs11/modules with the contents 'module: /path/to/pkcs11.so'.\nAlternatively the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number\nof lines of the form 'load=/usr/lib/opensc-pkcs11.so'.\n\nYou can provide the PIN to be used for the PKCS #11 operations with the environment variables\nGNUTLS_PIN and GNUTLS_SO_PIN.\n",
+ "short-usage": "p11tool [options] [url]\np11tool --help for usage instructions.\n",
+ "argument": "[url]",
+ "reorder-arguments": true
},
- {
- "meta": {
- "desc": "Tokens",
- "id": "token-related-options"
+ "sections": [
+ {
+ "options": []
},
- "options": [
- {
- "long-option": "list-tokens",
- "detail": "",
- "desc": "List all available tokens"
- },
- {
- "desc": "List the URLs available tokens",
- "detail": "This is a more compact version of --list-tokens.",
- "long-option": "list-token-urls"
- },
- {
- "detail": "",
- "desc": "List all available mechanisms in a token",
- "long-option": "list-mechanisms"
- },
- {
- "long-option": "initialize",
- "desc": "Initializes a PKCS #11 token",
- "detail": ""
- },
- {
- "desc": "Initializes/Resets a PKCS #11 token user PIN",
- "detail": "",
- "long-option": "initialize-pin"
- },
- {
- "long-option": "initialize-so-pin",
- "detail": "This initializes the security officer's PIN. When used non-interactively use the GNUTLS_NEW_SO_PIN\nenvironment variables to initialize SO's PIN.",
- "desc": "Initializes/Resets a PKCS #11 token security officer PIN."
- },
- {
- "arg-type": "string",
- "detail": "Alternatively the GNUTLS_PIN environment variable may be used.",
- "desc": "Specify the PIN to use on token operations",
- "long-option": "set-pin"
- },
- {
- "desc": "Specify the Security Officer's PIN to use on token initialization",
- "detail": "Alternatively the GNUTLS_SO_PIN environment variable may be used.",
- "long-option": "set-so-pin",
- "arg-type": "string"
- }
- ]
- },
- {
- "meta": {
- "desc": "Object listing",
- "id": "object-list-related-options"
+ {
+ "ref": "token-related-options",
+ "description": "Tokens",
+ "options": [
+ {
+ "long-option": "list-tokens",
+ "description": "List all available tokens"
+ },
+ {
+ "long-option": "list-token-urls",
+ "description": "List the URLs available tokens",
+ "detail": "This is a more compact version of --list-tokens."
+ },
+ {
+ "long-option": "list-mechanisms",
+ "description": "List all available mechanisms in a token"
+ },
+ {
+ "long-option": "initialize",
+ "description": "Initializes a PKCS #11 token"
+ },
+ {
+ "long-option": "initialize-pin",
+ "description": "Initializes/Resets a PKCS #11 token user PIN"
+ },
+ {
+ "long-option": "initialize-so-pin",
+ "description": "Initializes/Resets a PKCS #11 token security officer PIN",
+ "detail": "This initializes the security officer's PIN. When used non-interactively use the GNUTLS_NEW_SO_PIN\nenvironment variables to initialize SO's PIN."
+ },
+ {
+ "long-option": "set-pin",
+ "description": "Specify the PIN to use on token operations",
+ "detail": "Alternatively the GNUTLS_PIN environment variable may be used.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "set-so-pin",
+ "description": "Specify the Security Officer's PIN to use on token initialization",
+ "detail": "Alternatively the GNUTLS_SO_PIN environment variable may be used.",
+ "argument-type": "string"
+ }
+ ]
},
- "options": [
- {
- "long-option": "list-all",
- "detail": "All objects available in the token will be listed. That includes\nobjects which are potentially unaccessible using this tool.",
- "desc": "List all available objects in a token"
- },
- {
- "detail": "That option will also provide more information on the\ncertificates, for example, expand the attached extensions in a trust\ntoken (like p11-kit-trust).",
- "desc": "List all available certificates in a token",
- "long-option": "list-all-certs"
- },
- {
- "detail": "That option will only display certificates which have a private\nkey associated with them (share the same ID).",
- "long-option": "list-certs",
- "desc": "List all certificates that have an associated private key"
- },
- {
- "long-option": "list-all-privkeys",
- "detail": "Lists all the private keys in a token that match the specified URL.",
- "desc": "List all available private keys in a token"
- },
- {
- "aliases": "list-all-privkeys",
- "long-option": "list-privkeys"
- },
- {
- "aliases": "list-all-privkeys",
- "long-option": "list-keys"
- },
- {
- "detail": "",
- "desc": "List all available certificates marked as trusted",
- "long-option": "list-all-trusted"
- },
- {
- "detail": "",
- "conflicts": "export-stapled export-chain export-pubkey",
- "long-option": "export",
- "desc": "Export the object specified by the URL"
- },
- {
- "desc": "Export the certificate object specified by the URL",
- "detail": "Exports the certificate specified by the URL while including any attached extensions to it.\nSince attached extensions are a p11-kit extension, this option is only\navailable on p11-kit registered trust modules.",
- "conflicts": "export export-chain export-pubkey",
- "long-option": "export-stapled"
- },
- {
- "conflicts": "export-stapled export export-pubkey",
- "desc": "Export the certificate specified by the URL and its chain of trust",
- "detail": "Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module.",
- "long-option": "export-chain"
- },
- {
- "desc": "Export the public key for a private key",
- "conflicts": "export-stapled export export-chain",
- "long-option": "export-pubkey",
- "detail": "Exports the public key for the specified private key"
- },
- {
- "long-option": "info",
- "detail": "",
- "desc": "List information on an available object in a token"
- },
- {
- "aliases": "mark-trusted",
- "long-option": "trusted"
- },
- {
- "aliases": "mark-distrusted",
- "long-option": "distrusted"
- }
- ]
- },
- {
- "meta": {
- "desc": "Key generation",
- "id": "keygen-related-options"
+ {
+ "ref": "object-list-related-options",
+ "description": "Object listing",
+ "options": [
+ {
+ "long-option": "list-all",
+ "description": "List all available objects in a token",
+ "detail": "All objects available in the token will be listed. That includes\nobjects which are potentially unaccessible using this tool."
+ },
+ {
+ "long-option": "list-all-certs",
+ "description": "List all available certificates in a token",
+ "detail": "That option will also provide more information on the\ncertificates, for example, expand the attached extensions in a trust\ntoken (like p11-kit-trust)."
+ },
+ {
+ "long-option": "list-certs",
+ "description": "List all certificates that have an associated private key",
+ "detail": "That option will only display certificates which have a private\nkey associated with them (share the same ID)."
+ },
+ {
+ "long-option": "list-all-privkeys",
+ "description": "List all available private keys in a token",
+ "detail": "Lists all the private keys in a token that match the specified URL."
+ },
+ {
+ "long-option": "list-privkeys",
+ "aliases": "list-all-privkeys"
+ },
+ {
+ "long-option": "list-keys",
+ "aliases": "list-all-privkeys"
+ },
+ {
+ "long-option": "list-all-trusted",
+ "description": "List all available certificates marked as trusted"
+ },
+ {
+ "long-option": "export",
+ "description": "Export the object specified by the URL",
+ "conflicts": [
+ "export-stapled",
+ "export-chain",
+ "export-pubkey"
+ ]
+ },
+ {
+ "long-option": "export-stapled",
+ "description": "Export the certificate object specified by the URL",
+ "detail": "Exports the certificate specified by the URL while including any attached extensions to it.\nSince attached extensions are a p11-kit extension, this option is only\navailable on p11-kit registered trust modules.",
+ "conflicts": [
+ "export",
+ "export-chain",
+ "export-pubkey"
+ ]
+ },
+ {
+ "long-option": "export-chain",
+ "description": "Export the certificate specified by the URL and its chain of trust",
+ "detail": "Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module.",
+ "conflicts": [
+ "export-stapled",
+ "export",
+ "export-pubkey"
+ ]
+ },
+ {
+ "long-option": "export-pubkey",
+ "description": "Export the public key for a private key",
+ "detail": "Exports the public key for the specified private key",
+ "conflicts": [
+ "export-stapled",
+ "export",
+ "export-chain"
+ ]
+ },
+ {
+ "long-option": "info",
+ "description": "List information on an available object in a token"
+ },
+ {
+ "long-option": "trusted",
+ "aliases": "mark-trusted"
+ },
+ {
+ "long-option": "distrusted",
+ "aliases": "mark-distrusted"
+ }
+ ]
},
- "options": [
- {
- "desc": "Generate private-public key pair of given type",
- "arg-type": "string",
- "detail": "Generates a private-public key pair in the specified token.\nAcceptable types are RSA, ECDSA, Ed25519, and DSA. Should be combined with --sec-param or --bits.",
- "long-option": "generate-privkey"
- },
- {
- "desc": "Generate an RSA private-public key pair",
- "long-option": "generate-rsa",
- "detail": "Generates an RSA private-public key pair on the specified token.\nShould be combined with --sec-param or --bits.",
- "deprecated": ""
- },
- {
- "deprecated": "",
- "desc": "Generate a DSA private-public key pair",
- "detail": "Generates a DSA private-public key pair on the specified token.\nShould be combined with --sec-param or --bits.",
- "long-option": "generate-dsa"
- },
- {
- "deprecated": "",
- "desc": "Generate an ECDSA private-public key pair",
- "long-option": "generate-ecc",
- "detail": "Generates an ECDSA private-public key pair on the specified token.\nShould be combined with --curve, --sec-param or --bits."
- },
- {
- "desc": "Specify the number of bits for the key generate",
- "detail": "For applications which have no key-size restrictions the\n--sec-param option is recommended, as the sec-param levels will adapt\nto the acceptable security levels with the new versions of gnutls.",
- "long-option": "bits",
- "arg-type": "number"
- },
- {
- "detail": "Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.",
- "long-option": "curve",
- "arg-type": "string",
- "desc": "Specify the curve used for EC key generation"
- },
- {
- "long-option": "sec-param",
- "desc": "Specify the security level",
- "detail": "This is alternative to the bits option. Available options are [low, legacy, medium, high, ultra].",
- "arg-name": "Security parameter",
- "arg-type": "string"
- }
- ]
- },
- {
- "meta": {
- "desc": "Writing objects",
- "id": "write-object-related-options"
+ {
+ "ref": "keygen-related-options",
+ "description": "Key generation",
+ "options": [
+ {
+ "long-option": "generate-privkey",
+ "description": "Generate private-public key pair of given type",
+ "detail": "Generates a private-public key pair in the specified token.\nAcceptable types are RSA, ECDSA, Ed25519, and DSA. Should be combined with --sec-param or --bits.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "generate-rsa",
+ "description": "Generate an RSA private-public key pair",
+ "detail": "Generates an RSA private-public key pair on the specified token.\nShould be combined with --sec-param or --bits.",
+ "deprecated": true
+ },
+ {
+ "long-option": "generate-dsa",
+ "description": "Generate a DSA private-public key pair",
+ "detail": "Generates a DSA private-public key pair on the specified token.\nShould be combined with --sec-param or --bits.",
+ "deprecated": true
+ },
+ {
+ "long-option": "generate-ecc",
+ "description": "Generate an ECDSA private-public key pair",
+ "detail": "Generates an ECDSA private-public key pair on the specified token.\nShould be combined with --curve, --sec-param or --bits.",
+ "deprecated": true
+ },
+ {
+ "long-option": "bits",
+ "description": "Specify the number of bits for the key generate",
+ "detail": "For applications which have no key-size restrictions the\n--sec-param option is recommended, as the sec-param levels will adapt\nto the acceptable security levels with the new versions of gnutls.",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "curve",
+ "description": "Specify the curve used for EC key generation",
+ "detail": "Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "sec-param",
+ "description": "Specify the security level",
+ "detail": "This is alternative to the bits option. Available options are [low, legacy, medium, high, ultra].",
+ "argument-type": "string",
+ "argument-name": "Security parameter"
+ }
+ ]
},
- "options": [
- {
- "conflicts": "write",
- "arg-type": "string",
- "long-option": "set-id",
- "desc": "Set the CKA_ID (in hex) for the specified by the URL object",
- "detail": "Modifies or sets the CKA_ID in the specified by the URL object. The ID should be specified in hexadecimal format without a '0x' prefix."
- },
- {
- "long-option": "set-label",
- "desc": "Set the CKA_LABEL for the specified by the URL object",
- "detail": "Modifies or sets the CKA_LABEL in the specified by the URL object",
- "conflicts": "write set-id",
- "arg-type": "string"
- },
- {
- "long-option": "write",
- "desc": "Writes the loaded objects to a PKCS #11 token",
- "detail": "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.\n\nWhen writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand."
- },
- {
- "long-option": "delete",
- "desc": "Deletes the objects matching the given PKCS #11 URL",
- "detail": ""
- },
- {
- "arg-type": "string",
- "detail": "",
- "long-option": "label",
- "desc": "Sets a label for the write operation"
- },
- {
- "desc": "Sets an ID for the write operation",
- "detail": "Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a '0x' prefix.",
- "arg-type": "string",
- "long-option": "id"
- },
- {
- "detail": "Marks the generated key with the CKA_WRAP flag.",
- "long-option": "mark-wrap",
- "disabled": "",
- "disable-prefix": "no-",
- "desc": "Marks the generated key to be a wrapping key"
- },
- {
- "disabled": "",
- "long-option": "mark-trusted",
- "disable-prefix": "no-",
- "conflicts": "mark-distrusted",
- "desc": "Marks the object to be written as trusted",
- "detail": "Marks the object to be generated/written with the CKA_TRUST flag."
- },
- {
- "detail": "Ensures that the objects retrieved have the CKA_X_TRUST flag.\nThis is p11-kit trust module extension, thus this flag is only valid with\np11-kit registered trust modules.",
- "desc": "When retrieving objects, it requires the objects to be distrusted (blacklisted)",
- "conflicts": "mark-trusted",
- "long-option": "mark-distrusted"
- },
- {
- "disable-prefix": "no-",
- "desc": "Marks the object to be written for decryption",
- "detail": "Marks the object to be generated/written with the CKA_DECRYPT flag set to true.",
- "disabled": "",
- "long-option": "mark-decrypt"
- },
- {
- "disable-prefix": "no-",
- "detail": "Marks the object to be generated/written with the CKA_SIGN flag set to true.",
- "disabled": "",
- "long-option": "mark-sign",
- "desc": "Marks the object to be written for signature generation"
- },
- {
- "disable-prefix": "no-",
- "desc": "Marks the object to be written as a CA",
- "long-option": "mark-ca",
- "disabled": "",
- "detail": "Marks the object to be generated/written with the CKA_CERTIFICATE_CATEGORY as CA."
- },
- {
- "disable-prefix": "no-",
- "long-option": "mark-private",
- "desc": "Marks the object to be written as private",
- "detail": "Marks the object to be generated/written with the CKA_PRIVATE flag. The written object will require a PIN to be used.",
- "disabled": ""
- },
- {
- "long-option": "ca",
- "aliases": "mark-ca"
- },
- {
- "aliases": "mark-private",
- "long-option": "private"
- },
- {
- "disabled": "",
- "desc": "Marks the object to be written as always authenticate",
- "long-option": "mark-always-authenticate",
- "disable-prefix": "no-",
- "detail": "Marks the object to be generated/written with the CKA_ALWAYS_AUTHENTICATE flag. The written object will Mark the object as requiring authentication (pin entry) before every operation."
- },
- {
- "detail": "This secret key will be written to the module if --write is specified.",
- "arg-type": "string",
- "desc": "Provide a hex encoded secret key",
- "long-option": "secret-key"
- },
- {
- "arg-type": "file",
- "file-exists": "yes",
- "long-option": "load-privkey",
- "desc": "Private key file to use",
- "detail": ""
- },
- {
- "arg-type": "file",
- "file-exists": "yes",
- "desc": "Public key file to use",
- "long-option": "load-pubkey",
- "detail": ""
- },
- {
- "arg-type": "file",
- "desc": "Certificate file to use",
- "detail": "",
- "long-option": "load-certificate",
- "file-exists": "yes"
- }
- ]
- },
- {
- "meta": {
- "desc": "Other options",
- "id": "other-options"
+ {
+ "ref": "write-object-related-options",
+ "description": "Writing objects",
+ "options": [
+ {
+ "long-option": "set-id",
+ "description": "Set the CKA_ID (in hex) for the specified by the URL object",
+ "detail": "Modifies or sets the CKA_ID in the specified by the URL object. The ID should be specified in hexadecimal format without a '0x' prefix.",
+ "conflicts": [
+ "write"
+ ],
+ "argument-type": "string"
+ },
+ {
+ "long-option": "set-label",
+ "description": "Set the CKA_LABEL for the specified by the URL object",
+ "detail": "Modifies or sets the CKA_LABEL in the specified by the URL object",
+ "conflicts": [
+ "write",
+ "set-id"
+ ],
+ "argument-type": "string"
+ },
+ {
+ "long-option": "write",
+ "description": "Writes the loaded objects to a PKCS #11 token",
+ "detail": "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.\n\nWhen writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand."
+ },
+ {
+ "long-option": "delete",
+ "description": "Deletes the objects matching the given PKCS #11 URL"
+ },
+ {
+ "long-option": "label",
+ "description": "Sets a label for the write operation",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "id",
+ "description": "Sets an ID for the write operation",
+ "detail": "Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a '0x' prefix.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "mark-wrap",
+ "description": "Marks the generated key to be a wrapping key",
+ "detail": "Marks the generated key with the CKA_WRAP flag.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "mark-trusted",
+ "description": "Marks the object to be written as trusted",
+ "detail": "Marks the object to be generated/written with the CKA_TRUST flag.",
+ "conflicts": [
+ "mark-distrusted"
+ ],
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "mark-distrusted",
+ "description": "When retrieving objects, it requires the objects to be distrusted (blacklisted)",
+ "detail": "Ensures that the objects retrieved have the CKA_X_TRUST flag.\nThis is p11-kit trust module extension, thus this flag is only valid with\np11-kit registered trust modules.",
+ "conflicts": [
+ "mark-trusted"
+ ]
+ },
+ {
+ "long-option": "mark-decrypt",
+ "description": "Marks the object to be written for decryption",
+ "detail": "Marks the object to be generated/written with the CKA_DECRYPT flag set to true.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "mark-sign",
+ "description": "Marks the object to be written for signature generation",
+ "detail": "Marks the object to be generated/written with the CKA_SIGN flag set to true.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "mark-ca",
+ "description": "Marks the object to be written as a CA",
+ "detail": "Marks the object to be generated/written with the CKA_CERTIFICATE_CATEGORY as CA.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "mark-private",
+ "description": "Marks the object to be written as private",
+ "detail": "Marks the object to be generated/written with the CKA_PRIVATE flag. The written object will require a PIN to be used.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "ca",
+ "aliases": "mark-ca"
+ },
+ {
+ "long-option": "private",
+ "aliases": "mark-private"
+ },
+ {
+ "long-option": "mark-always-authenticate",
+ "description": "Marks the object to be written as always authenticate",
+ "detail": "Marks the object to be generated/written with the CKA_ALWAYS_AUTHENTICATE flag. The written object will Mark the object as requiring authentication (pin entry) before every operation.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "secret-key",
+ "description": "Provide a hex encoded secret key",
+ "detail": "This secret key will be written to the module if --write is specified.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "load-privkey",
+ "description": "Private key file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "load-pubkey",
+ "description": "Public key file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "load-certificate",
+ "description": "Certificate file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ }
+ ]
},
- "options": [
- {
- "desc": "Enable debugging",
- "arg-max": " 9999",
- "short-option": "d",
- "arg-type": "number",
- "detail": "Specifies the debug level.",
- "arg-min": "0 ",
- "long-option": "debug"
- },
- {
- "arg-type": "string",
- "detail": "",
- "long-option": "outfile",
- "desc": "Output file"
- },
- {
- "desc": "Force (user) login to token",
- "detail": "",
- "long-option": "login",
- "disable-prefix": "no-",
- "disabled": ""
- },
- {
- "long-option": "so-login",
- "disabled": "",
- "disable-prefix": "no-",
- "desc": "Force security officer login to token",
- "detail": "Forces login to the token as security officer (admin)."
- },
- {
- "long-option": "admin-login",
- "aliases": "so-login"
- },
- {
- "desc": "Tests the signature operation of the provided object",
- "long-option": "test-sign",
- "detail": "It can be used to test the correct operation of the signature operation.\nIf both a private and a public key are available this operation will sign and verify\nthe signed data."
- },
- {
- "detail": "This option can be combined with --test-sign, to sign with\na specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be\nspecified in order to use RSA-PSS signature on RSA keys.",
- "arg-type": "string",
- "long-option": "sign-params",
- "desc": "Sign with a specific signature algorithm"
- },
- {
- "long-option": "hash",
- "detail": "This option can be combined with test-sign. Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.",
- "desc": "Hash algorithm to use for signing",
- "arg-type": "string"
- },
- {
- "desc": "Generate random data",
- "detail": "Asks the token to generate a number of bytes of random bytes.",
- "arg-type": "number",
- "long-option": "generate-random"
- },
- {
- "detail": "",
- "short-option": "8",
- "long-option": "pkcs8",
- "desc": "Use PKCS #8 format for private keys"
- },
- {
- "long-option": "inder",
- "desc": "Use DER/RAW format for input",
- "disable-prefix": "no-",
- "detail": "Use DER/RAW format for input certificates and private keys.",
- "disabled": ""
- },
- {
- "long-option": "inraw",
- "aliases": "inder"
- },
- {
- "disable-prefix": "no-",
- "detail": "The output will be in DER or RAW format.",
- "long-option": "outder",
- "desc": "Use DER format for output certificates, private keys, and DH parameters",
- "disabled": ""
- },
- {
- "long-option": "outraw",
- "aliases": "outder"
- },
- {
- "long-option": "provider",
- "arg-type": "file",
- "desc": "Specify the PKCS #11 provider library",
- "detail": "This will override the default options in /etc/gnutls/pkcs11.conf"
- },
- {
- "arg-type": "string",
- "desc": "Specify parameters for the PKCS #11 provider library",
- "deprecated": "",
- "detail": "This is a PKCS#11 internal option used by few modules.\n Mainly for testing PKCS#11 modules.",
- "long-option": "provider-opts"
- },
- {
- "disable-prefix": "no-",
- "long-option": "detailed-url",
- "disabled": "",
- "desc": "Print detailed URLs",
- "detail": ""
- },
- {
- "desc": "Print a compact listing using only the URLs",
- "long-option": "only-urls",
- "detail": ""
- },
- {
- "detail": "In batch mode there will be no prompts, all parameters need to be specified on command line.",
- "long-option": "batch",
- "desc": "Disable all interaction with the tool"
- }
- ]
- }
-] \ No newline at end of file
+ {
+ "ref": "other-options",
+ "description": "Other options",
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "outfile",
+ "description": "Output file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "login",
+ "description": "Force (user) login to token",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "so-login",
+ "description": "Force security officer login to token",
+ "detail": "Forces login to the token as security officer (admin).",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "admin-login",
+ "aliases": "so-login"
+ },
+ {
+ "long-option": "test-sign",
+ "description": "Tests the signature operation of the provided object",
+ "detail": "It can be used to test the correct operation of the signature operation.\nIf both a private and a public key are available this operation will sign and verify\nthe signed data."
+ },
+ {
+ "long-option": "sign-params",
+ "description": "Sign with a specific signature algorithm",
+ "detail": "This option can be combined with --test-sign, to sign with\na specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be\nspecified in order to use RSA-PSS signature on RSA keys.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "hash",
+ "description": "Hash algorithm to use for signing",
+ "detail": "This option can be combined with test-sign. Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "generate-random",
+ "description": "Generate random data",
+ "detail": "Asks the token to generate a number of bytes of random bytes.",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "pkcs8",
+ "short-option": "8",
+ "description": "Use PKCS #8 format for private keys"
+ },
+ {
+ "long-option": "inder",
+ "description": "Use DER/RAW format for input",
+ "detail": "Use DER/RAW format for input certificates and private keys.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "inraw",
+ "aliases": "inder"
+ },
+ {
+ "long-option": "outder",
+ "description": "Use DER format for output certificates, private keys, and DH parameters",
+ "detail": "The output will be in DER or RAW format.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "outraw",
+ "aliases": "outder"
+ },
+ {
+ "long-option": "provider",
+ "description": "Specify the PKCS #11 provider library",
+ "detail": "This will override the default options in /etc/gnutls/pkcs11.conf",
+ "argument-type": "file"
+ },
+ {
+ "long-option": "provider-opts",
+ "description": "Specify parameters for the PKCS #11 provider library",
+ "detail": "This is a PKCS#11 internal option used by few modules.\n Mainly for testing PKCS#11 modules.",
+ "deprecated": true,
+ "argument-type": "string"
+ },
+ {
+ "long-option": "detailed-url",
+ "description": "Print detailed URLs",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "only-urls",
+ "description": "Print a compact listing using only the URLs"
+ },
+ {
+ "long-option": "batch",
+ "description": "Disable all interaction with the tool",
+ "detail": "In batch mode there will be no prompts, all parameters need to be specified on command line."
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file
diff --git a/src/psktool-options.json b/src/psktool-options.json
index 22771fa236..d97895013f 100644
--- a/src/psktool-options.json
+++ b/src/psktool-options.json
@@ -1,53 +1,56 @@
-[
- {
- "meta": {
- "explain": "",
- "desc": "",
- "prog-name": "psktool",
- "prog-desc": "Program to create PSK parameters.\n",
- "detail": "Program that generates random keys for use with TLS-PSK. The\nkeys are stored in hexadecimal format in a key file.",
- "prog-title": "GnuTLS PSK tool",
- "short-usage": "psktool [options]\npsktool --help for usage instructions.\n"
- },
- "options": [
- {
- "desc": "Enable debugging",
- "detail": "Specifies the debug level.",
- "arg-min": "0 ",
- "arg-max": " 9999",
- "arg-type": "number",
- "short-option": "d",
- "long-option": "debug"
- },
- {
- "long-option": "keysize",
- "desc": "Specify the key size in bytes (default is 32-bytes or 256-bits)",
- "short-option": "s",
- "arg-type": "number",
- "detail": "",
- "arg-min": "0 ",
- "arg-max": " 512"
- },
- {
- "long-option": "username",
- "desc": "Specify the username to use",
- "arg-type": "string",
- "detail": "",
- "short-option": "u"
- },
- {
- "long-option": "pskfile",
- "detail": "This option will specify the pre-shared key file to store the generated keys.",
- "short-option": "p",
- "arg-type": "string",
- "desc": "Specify a pre-shared key file"
- },
- {
- "deprecated": "",
- "desc": "Specify a pre-shared key file",
- "aliases": "pskfile",
- "long-option": "passwd"
- }
- ]
- }
-] \ No newline at end of file
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "psktool",
+ "title": "GnuTLS PSK tool",
+ "description": "Program to create PSK parameters.\n",
+ "detail": "Program that generates random keys for use with TLS-PSK. The\nkeys are stored in hexadecimal format in a key file.",
+ "short-usage": "psktool [options]\npsktool --help for usage instructions.\n"
+ },
+ "sections": [
+ {
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "keysize",
+ "short-option": "s",
+ "description": "Specify the key size in bytes (default is 32-bytes or 256-bits)",
+ "argument-range": {
+ "min": 0,
+ "max": 512
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "username",
+ "short-option": "u",
+ "description": "Specify the username to use",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "pskfile",
+ "short-option": "p",
+ "description": "Specify a pre-shared key file",
+ "detail": "This option will specify the pre-shared key file to store the generated keys.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "passwd",
+ "description": "Specify a pre-shared key file",
+ "deprecated": true,
+ "aliases": "pskfile"
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file
diff --git a/src/srptool-options.json b/src/srptool-options.json
index 489eb7a73b..f24dea9f74 100644
--- a/src/srptool-options.json
+++ b/src/srptool-options.json
@@ -1,71 +1,69 @@
-[
- {
- "meta": {
- "prog-desc": "Simple program to create SRP parameters.\n",
- "explain": "",
- "short-usage": "srptool [options]\nsrptool --help for usage instructions.\n",
- "detail": "Simple program that emulates the programs in the Stanford SRP (Secure\nRemote Password) libraries using GnuTLS. It is intended for use in places\nwhere you don't expect SRP authentication to be the used for system users.\n\nIn brief, to use SRP you need to create two files. These are the password\nfile that holds the users and the verifiers associated with them and the\nconfiguration file to hold the group parameters (called tpasswd.conf).",
- "desc": "",
- "prog-name": "srptool",
- "prog-title": "GnuTLS SRP tool"
- },
- "options": [
- {
- "short-option": "d",
- "arg-min": "0 ",
- "detail": "Specifies the debug level.",
- "desc": "Enable debugging",
- "long-option": "debug",
- "arg-type": "number",
- "arg-max": " 9999"
- },
- {
- "desc": "specify the index of the group parameters in tpasswd.conf to use",
- "detail": "",
- "short-option": "i",
- "arg-type": "number",
- "arg-default": "3",
- "long-option": "index"
- },
- {
- "arg-type": "string",
- "long-option": "username",
- "detail": "",
- "desc": "specify a username",
- "short-option": "u"
- },
- {
- "long-option": "passwd",
- "desc": "specify a password file",
- "arg-type": "string",
- "detail": "",
- "short-option": "p"
- },
- {
- "long-option": "salt",
- "short-option": "s",
- "desc": "specify salt size",
- "detail": "",
- "arg-type": "number"
- },
- {
- "desc": "just verify the password.",
- "long-option": "verify",
- "detail": "Verifies the password provided against the password file."
- },
- {
- "detail": "Specify a filename or a PKCS #11 URL to read the CAs from.",
- "short-option": "v",
- "long-option": "passwd-conf",
- "desc": "specify a password conf file.",
- "arg-type": "string"
- },
- {
- "arg-type": "string",
- "detail": "This generates a password configuration file (tpasswd.conf)\ncontaining the required for TLS parameters.",
- "desc": "Generate a password configuration file.",
- "long-option": "create-conf"
- }
- ]
- }
-] \ No newline at end of file
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "srptool",
+ "title": "GnuTLS SRP tool",
+ "description": "Simple program to create SRP parameters.\n",
+ "detail": "Simple program that emulates the programs in the Stanford SRP (Secure\nRemote Password) libraries using GnuTLS. It is intended for use in places\nwhere you don't expect SRP authentication to be the used for system users.\n\nIn brief, to use SRP you need to create two files. These are the password\nfile that holds the users and the verifiers associated with them and the\nconfiguration file to hold the group parameters (called tpasswd.conf).",
+ "short-usage": "srptool [options]\nsrptool --help for usage instructions.\n"
+ },
+ "sections": [
+ {
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "index",
+ "short-option": "i",
+ "description": "specify the index of the group parameters in tpasswd.conf to use",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "username",
+ "short-option": "u",
+ "description": "specify a username",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "passwd",
+ "short-option": "p",
+ "description": "specify a password file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "salt",
+ "short-option": "s",
+ "description": "specify salt size",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "verify",
+ "description": "just verify the password",
+ "detail": "Verifies the password provided against the password file."
+ },
+ {
+ "long-option": "passwd-conf",
+ "short-option": "v",
+ "description": "specify a password conf file",
+ "detail": "Specify a filename or a PKCS #11 URL to read the CAs from.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "create-conf",
+ "description": "Generate a password configuration file",
+ "detail": "This generates a password configuration file (tpasswd.conf)\ncontaining the required for TLS parameters.",
+ "argument-type": "string"
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file
diff --git a/src/systemkey-tool-options.json b/src/systemkey-tool-options.json
index 835ffb9c1c..9676d89af9 100644
--- a/src/systemkey-tool-options.json
+++ b/src/systemkey-tool-options.json
@@ -1,49 +1,48 @@
-[
- {
- "meta": {
- "detail": "Program that allows handling user keys as stored in the system in a uniform way.",
- "short-usage": "systemkey-tool [options]\nsystemkey-tool --help for usage instructions.\n",
- "prog-desc": "Program to handle system keys.\n",
- "explain": "",
- "prog-name": "systemkey-tool",
- "desc": "",
- "prog-title": "GnuTLS system key tool"
- },
- "options": [
- {
- "desc": "Enable debugging",
- "arg-type": "number",
- "short-option": "d",
- "arg-min": "0 ",
- "arg-max": " 9999",
- "long-option": "debug",
- "detail": "Specifies the debug level."
- },
- {
- "arg-type": "string",
- "long-option": "outfile",
- "detail": "",
- "desc": "Output file"
- },
- {
- "desc": "Lists all stored keys.",
- "detail": "",
- "long-option": "list"
- },
- {
- "arg-name": "url",
- "detail": "",
- "long-option": "delete",
- "desc": "Delete the key identified by the given URL.",
- "arg-type": "string"
- },
- {
- "long-option": "outder",
- "desc": "Use DER format for output keys",
- "disabled": "",
- "detail": "The output will be in DER format.",
- "disable-prefix": "no-"
- }
- ]
- }
-] \ No newline at end of file
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "systemkey-tool",
+ "title": "GnuTLS system key tool",
+ "description": "Program to handle system keys.\n",
+ "detail": "Program that allows handling user keys as stored in the system in a uniform way.",
+ "short-usage": "systemkey-tool [options]\nsystemkey-tool --help for usage instructions.\n"
+ },
+ "sections": [
+ {
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "outfile",
+ "description": "Output file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "list",
+ "description": "Lists all stored keys"
+ },
+ {
+ "long-option": "delete",
+ "description": "Delete the key identified by the given URL",
+ "argument-type": "string",
+ "argument-name": "url"
+ },
+ {
+ "long-option": "outder",
+ "description": "Use DER format for output keys",
+ "detail": "The output will be in DER format.",
+ "disable-prefix": "no-"
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file
diff --git a/src/tpmtool-options.json b/src/tpmtool-options.json
index 22b07a0a6e..97515edff1 100644
--- a/src/tpmtool-options.json
+++ b/src/tpmtool-options.json
@@ -1,133 +1,143 @@
-[
- {
- "meta": {
- "prog-name": "tpmtool",
- "desc": "",
- "short-usage": "tpmtool [options]\ntpmtool --help for usage instructions.\n",
- "prog-desc": "Program to handle TPM as a cryptographic device.\n",
- "detail": "Program that allows handling cryptographic data from the TPM chip.",
- "explain": "",
- "prog-title": "GnuTLS TPM tool"
- },
- "options": [
- {
- "short-option": "d",
- "arg-max": " 9999",
- "desc": "Enable debugging",
- "arg-min": "0 ",
- "long-option": "debug",
- "arg-type": "number",
- "detail": "Specifies the debug level."
- },
- {
- "long-option": "infile",
- "arg-type": "file",
- "file-exists": "yes",
- "desc": "Input file",
- "detail": ""
- },
- {
- "detail": "",
- "desc": "Output file",
- "long-option": "outfile",
- "arg-type": "string"
- },
- {
- "desc": "Generate an RSA private-public key pair",
- "detail": "Generates an RSA private-public key pair in the TPM chip. \nThe key may be stored in file system and protected by a PIN, or stored (registered)\nin the TPM chip flash.",
- "long-option": "generate-rsa"
- },
- {
- "requires": "generate-rsa",
- "desc": "Any generated key will be registered in the TPM",
- "long-option": "register",
- "detail": ""
- },
- {
- "conflicts": "legacy",
- "requires": "generate-rsa",
- "long-option": "signing",
- "desc": "Any generated key will be a signing key",
- "detail": ""
- },
- {
- "desc": "Any generated key will be a legacy key",
- "conflicts": "signing",
- "detail": "",
- "requires": "generate-rsa",
- "long-option": "legacy"
- },
- {
- "requires": "register",
- "desc": "Any registered key will be a user key",
- "long-option": "user",
- "detail": "The generated key will be stored in a user specific persistent storage.",
- "conflicts": "system"
- },
- {
- "detail": "The generated key will be stored in system persistent storage.",
- "long-option": "system",
- "desc": "Any registered key will be a system key",
- "conflicts": "user",
- "requires": "register"
- },
- {
- "detail": "",
- "arg-type": "string",
- "arg-name": "url",
- "long-option": "pubkey",
- "desc": "Prints the public key of the provided key"
- },
- {
- "detail": "",
- "long-option": "list",
- "desc": "Lists all stored keys in the TPM"
- },
- {
- "arg-type": "string",
- "desc": "Delete the key identified by the given URL (UUID).",
- "arg-name": "url",
- "long-option": "delete",
- "detail": ""
- },
- {
- "arg-name": "url",
- "long-option": "test-sign",
- "arg-type": "string",
- "desc": "Tests the signature operation of the provided object",
- "detail": "It can be used to test the correct operation of the signature operation.\nThis operation will sign and verify the signed data."
- },
- {
- "arg-name": "Security parameter",
- "arg-type": "string",
- "detail": "This is alternative to the bits option. Note however that the\nvalues allowed by the TPM chip are quantized and given values may be rounded up.",
- "long-option": "sec-param",
- "desc": "Specify the security level [low, legacy, medium, high, ultra]."
- },
- {
- "desc": "Specify the number of bits for key generate",
- "arg-type": "number",
- "detail": "",
- "long-option": "bits"
- },
- {
- "long-option": "inder",
- "disable-prefix": "no-",
- "detail": "The input files will be assumed to be in the portable\nDER format of TPM. The default format is a custom format used by various\nTPM tools",
- "desc": "Use the DER format for keys.",
- "disabled": ""
- },
- {
- "disabled": "",
- "long-option": "outder",
- "desc": "Use DER format for output keys",
- "detail": "The output will be in the TPM portable DER format.",
- "disable-prefix": "no-"
- },
- {
- "desc": "SRK has well known password (20 bytes of zeros)",
- "long-option": "srk-well-known"
- }
- ]
- }
-] \ No newline at end of file
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "tpmtool",
+ "title": "GnuTLS TPM tool",
+ "description": "Program to handle TPM as a cryptographic device.\n",
+ "detail": "Program that allows handling cryptographic data from the TPM chip.",
+ "short-usage": "tpmtool [options]\ntpmtool --help for usage instructions.\n"
+ },
+ "sections": [
+ {
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "infile",
+ "description": "Input file",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "outfile",
+ "description": "Output file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "generate-rsa",
+ "description": "Generate an RSA private-public key pair",
+ "detail": "Generates an RSA private-public key pair in the TPM chip. \nThe key may be stored in file system and protected by a PIN, or stored (registered)\nin the TPM chip flash."
+ },
+ {
+ "long-option": "register",
+ "description": "Any generated key will be registered in the TPM",
+ "requires": [
+ "generate-rsa"
+ ]
+ },
+ {
+ "long-option": "signing",
+ "description": "Any generated key will be a signing key",
+ "conflicts": [
+ "legacy"
+ ],
+ "requires": [
+ "generate-rsa"
+ ]
+ },
+ {
+ "long-option": "legacy",
+ "description": "Any generated key will be a legacy key",
+ "conflicts": [
+ "signing"
+ ],
+ "requires": [
+ "generate-rsa"
+ ]
+ },
+ {
+ "long-option": "user",
+ "description": "Any registered key will be a user key",
+ "detail": "The generated key will be stored in a user specific persistent storage.",
+ "conflicts": [
+ "system"
+ ],
+ "requires": [
+ "register"
+ ]
+ },
+ {
+ "long-option": "system",
+ "description": "Any registered key will be a system key",
+ "detail": "The generated key will be stored in system persistent storage.",
+ "conflicts": [
+ "user"
+ ],
+ "requires": [
+ "register"
+ ]
+ },
+ {
+ "long-option": "pubkey",
+ "description": "Prints the public key of the provided key",
+ "argument-type": "string",
+ "argument-name": "url"
+ },
+ {
+ "long-option": "list",
+ "description": "Lists all stored keys in the TPM"
+ },
+ {
+ "long-option": "delete",
+ "description": "Delete the key identified by the given URL (UUID)",
+ "argument-type": "string",
+ "argument-name": "url"
+ },
+ {
+ "long-option": "test-sign",
+ "description": "Tests the signature operation of the provided object",
+ "detail": "It can be used to test the correct operation of the signature operation.\nThis operation will sign and verify the signed data.",
+ "argument-type": "string",
+ "argument-name": "url"
+ },
+ {
+ "long-option": "sec-param",
+ "description": "Specify the security level [low, legacy, medium, high, ultra]",
+ "detail": "This is alternative to the bits option. Note however that the\nvalues allowed by the TPM chip are quantized and given values may be rounded up.",
+ "argument-type": "string",
+ "argument-name": "Security parameter"
+ },
+ {
+ "long-option": "bits",
+ "description": "Specify the number of bits for key generate",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "inder",
+ "description": "Use the DER format for keys",
+ "detail": "The input files will be assumed to be in the portable\nDER format of TPM. The default format is a custom format used by various\nTPM tools",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "outder",
+ "description": "Use DER format for output keys",
+ "detail": "The output will be in the TPM portable DER format.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "srk-well-known",
+ "description": "SRK has well known password (20 bytes of zeros)"
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file